Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: DependencyCheck

ApplicationSecurity:DependencyCheck:0.0.1-SNAPSHOT

Scan Information (show all):

Display: Showing Vulnerable Dependencies (click to show all)

DependencyCPECoordinatesHighest SeverityCVE CountCPE ConfidenceEvidence Count
xercesImpl-2.12.0.jarcpe:/a:apache:xerces2_java:2.12.0xerces:xercesImpl:2.12.0 0Low49
xml-apis-1.4.01.jarxml-apis:xml-apis:1.4.01 046
slf4j-api-1.7.22.jbossorg-1.jarcpe:/a:slf4j:slf4j:1.7.22org.slf4j:slf4j-api:1.7.22.jbossorg-1 0Low27
artemis-boot-1.4.0.jarorg.apache.activemq:artemis-boot:1.4.0 021
artemis-server-1.4.0.jarorg.apache.activemq:artemis-server:1.4.0 021
artemis-commons-1.4.0.jarorg.apache.activemq:artemis-commons:1.4.0 021
artemis-selector-1.4.0.jarorg.apache.activemq:artemis-selector:1.4.0 021
artemis-journal-1.4.0.jarorg.apache.activemq:artemis-journal:1.4.0 021
netty-all-4.0.39.Final.jarcpe:/a:netty_project:netty:4.0.39io.netty:netty-all:4.0.39.Final 0Low18
artemis-dto-1.4.0.jarorg.apache.activemq:artemis-dto:1.4.0 021
artemis-cli-1.4.0.jarorg.apache.activemq:artemis-cli:1.4.0 021
artemis-jms-server-1.4.0.jarorg.apache.activemq:artemis-jms-server:1.4.0 021
artemis-service-extensions-1.4.0.jarorg.apache.activemq:artemis-service-extensions:1.4.0 021
geronimo-jms_2.0_spec-1.0-alpha-2.jarorg.apache.geronimo.specs:geronimo-jms_2.0_spec:1.0-alpha-2 027
geronimo-ejb_3.0_spec-1.0.1.jarorg.apache.geronimo.specs:geronimo-ejb_3.0_spec:1.0.1 023
geronimo-jta_1.1_spec-1.1.1.jarorg.apache.geronimo.specs:geronimo-jta_1.1_spec:1.1.1 023
artemis-jms-client-1.4.0.jarorg.apache.activemq:artemis-jms-client:1.4.0 021
artemis-ra-1.4.0.jarorg.apache.activemq:artemis-ra:1.4.0 021
artemis-spring-integration-1.4.0.jarorg.apache.activemq:artemis-spring-integration:1.4.0 021
spring-tx-3.1.4.RELEASE.jarcpe:/a:vmware:springsource_spring_framework:3.1.4
cpe:/a:pivotal:spring_framework:3.1.4
cpe:/a:pivotal_software:spring_framework:3.1.4
cpe:/a:springsource:spring_framework:3.1.4
org.springframework:spring-tx:3.1.4.RELEASEHigh12Highest21
artemis-vertx-integration-1.4.0.jarorg.apache.activemq:artemis-vertx-integration:1.4.0 021
artemis-rest-1.4.0.jarcpe:/a:apache:activemq_artemis:1.4.0org.apache.activemq.rest:artemis-rest:1.4.0High1Low21
resteasy-jaxrs-3.0.17.Final.jarorg.jboss.resteasy:resteasy-jaxrs:3.0.17.Final 026
jboss-jaxrs-api_2.0_spec-1.0.0.Final.jarorg.jboss.spec.javax.ws.rs:jboss-jaxrs-api_2.0_spec:1.0.0.Final 039
jboss-annotations-api_1.2_spec-1.0.0.Final.jarorg.jboss.spec.javax.annotation:jboss-annotations-api_1.2_spec:1.0.0.Final 037
activation-1.1.1.jarjavax.activation:activation:1.1.1 021
jcip-annotations-1.0.jarnet.jcip:jcip-annotations:1.0 017
resteasy-jaxb-provider-3.0.17.Final.jarorg.jboss.resteasy:resteasy-jaxb-provider:3.0.17.Final 026
resteasy-jackson-provider-3.0.17.Final.jarorg.jboss.resteasy:resteasy-jackson-provider:3.0.17.Final 026
resteasy-atom-provider-3.0.17.Final.jarorg.jboss.resteasy:resteasy-atom-provider:3.0.17.Final 026
tjws-3.0.17.Final.jarorg.jboss.resteasy:tjws:3.0.17.Final 026
servlet-api-2.5.jarjavax.servlet:servlet-api:2.5 015
geronimo-annotation_1.1_spec-1.0.1.jarorg.apache.geronimo.specs:geronimo-annotation_1.1_spec:1.0.1 029
artemis-aerogear-integration-1.4.0.jarorg.apache.activemq:artemis-aerogear-integration:1.4.0 021
unifiedpush-java-client-1.0.0.jarorg.jboss.aerogear:unifiedpush-java-client:1.0.0 028
base64-2.3.8.jarnet.iharder:base64:2.3.8 017
artemis-web-1.4.0.jarorg.apache.activemq:artemis-web:1.4.0 021
artemis-core-client-1.4.0.jarorg.apache.activemq:artemis-core-client:1.4.0 021
jgroups-3.6.9.Final.jarorg.jgroups:jgroups:3.6.9.Final 029
artemis-proton-plug-1.4.0.jarcpe:/a:apache:apache_http_server:1.4.0org.apache.activemq:artemis-proton-plug:1.4.0Medium2Low30
proton-j-0.12.2.jarcpe:/a:apache:qpid_proton:0.12.2org.apache.qpid:proton-j:0.12.2Medium1Highest21
jboss-logging-processor-2.0.0.Alpha2.jarorg.jboss.logging:jboss-logging-processor:2.0.0.Alpha2 027
jboss-logging-annotations-2.0.0.Alpha2.jarorg.jboss.logging:jboss-logging-annotations:2.0.0.Alpha2 027
jdeparser-2.0.0.Final.jarorg.jboss.jdeparser:jdeparser:2.0.0.Final 026
artemis-native-1.4.0.jarcpe:/a:apache:apache_http_server:1.4.0
cpe:/a:apache:http_server:1.4.0
org.apache.activemq:artemis-native:1.4.0High66Highest24
artemis-jdbc-store-1.4.0.jarorg.apache.activemq:artemis-jdbc-store:1.4.0 021
artemis-website-1.4.0.jarorg.apache.activemq:artemis-website:1.4.0 021
jboss-logmanager-2.0.3.Final.jarorg.jboss.logmanager:jboss-logmanager:2.0.3.Final 039
airline-0.7.jario.airlift:airline:0.7 020
javax.inject-1.jarjavax.inject:javax.inject:1 017
annotations-2.0.3.jarcom.google.code.findbugs:annotations:2.0.3 020
activemq-client-5.12.0.jarcpe:/a:apache:activemq:5.12.0org.apache.activemq:activemq-client:5.12.0High9Highest23
geronimo-jms_1.1_spec-1.1.1.jarorg.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1 023
hawtbuf-1.11.jarorg.fusesource.hawtbuf:hawtbuf:1.11 027
geronimo-j2ee-management_1.1_spec-1.0.1.jarorg.apache.geronimo.specs:geronimo-j2ee-management_1.1_spec:1.0.1 023
jetty-jmx-9.3.10.v20160621.jarcpe:/a:eclipse:jetty:9.3.10
cpe:/a:jetty:jetty:9.3.10.v20160621
org.eclipse.jetty:jetty-jmx:9.3.10.v20160621High5Low36
javax.annotation-api-1.2.jarjavax.annotation:javax.annotation-api:1.2 035
asm-5.0.1.jarorg.ow2.asm:asm:5.0.1 025
asm-commons-5.0.1.jarorg.ow2.asm:asm-commons:5.0.1 025
javax.security.auth.message-1.0.0.v201108011116.jarcpe:/a:jetty:jetty:1.0.0.v20110801
cpe:/a:eclipse:jetty:1.0.0.v20110801
org.eclipse.jetty.orbit:javax.security.auth.message:1.0.0.v201108011116High4Low31
javax.transaction-api-1.2.jarjavax.transaction:javax.transaction-api:1.2 035
websocket-api-9.3.10.v20160621.jarorg.eclipse.jetty.websocket:websocket-api:9.3.10.v20160621 032
javax-websocket-server-impl-9.3.10.v20160621.jarcpe:/a:eclipse:jetty:9.3.10
cpe:/a:jetty:jetty:9.3.10.v20160621
org.eclipse.jetty.websocket:javax-websocket-server-impl:9.3.10.v20160621High5Low34
websocket-server-9.3.10.v20160621.jarcpe:/a:eclipse:jetty:9.3.10
cpe:/a:jetty:jetty:9.3.10.v20160621
org.eclipse.jetty.websocket:websocket-server:9.3.10.v20160621High5Low34
http2-server-9.3.10.v20160621.jarcpe:/a:jetty:jetty_http_server:9.3.10.v20160621org.eclipse.jetty.http2:http2-server:9.3.10.v20160621 0Low32
http2-common-9.3.10.v20160621.jarcpe:/a:eclipse:jetty:9.3.10
cpe:/a:jetty:jetty:9.3.10.v20160621
org.eclipse.jetty.http2:http2-common:9.3.10.v20160621High5Low32
http2-hpack-9.3.10.v20160621.jarcpe:/a:eclipse:jetty:9.3.10org.eclipse.jetty.http2:http2-hpack:9.3.10.v20160621High5Low32
javax.websocket-api-1.0.jarjavax.websocket:javax.websocket-api:1.0 026
javax.mail.glassfish-1.4.1.v201005082020.jarcpe:/a:eclipse:jetty:1.4.1.v20100508
cpe:/a:jetty:jetty:1.4.1.v20100508
org.eclipse.jetty.orbit:javax.mail.glassfish:1.4.1.v201005082020High4Low25
javax.activation-1.1.0.v201105071233.jarcpe:/a:eclipse:jetty:1.1.0.v20110507
cpe:/a:jetty:jetty:1.1.0.v20110507
org.eclipse.jetty.orbit:javax.activation:1.1.0.v201105071233High4Low25
tomcat-servlet-api-8.0.23.jarorg.apache.tomcat:tomcat-servlet-api:8.0.23 016
commons-beanutils-1.9.2.jarcpe:/a:apache:commons_beanutils:1.9.2commons-beanutils:commons-beanutils:1.9.2 0Low33
commons-logging-1.2.jarcommons-logging:commons-logging:1.2 033
netty-transport-5.0.0.Alpha2.jarcpe:/a:netty_project:netty:5.0.0io.netty:netty-transport:5.0.0.Alpha2 0Low22
geronimo-json_1.0_spec-1.0-alpha-1.jarorg.apache.geronimo.specs:geronimo-json_1.0_spec:1.0-alpha-1 027
johnzon-core-0.9.4.jarorg.apache.johnzon:johnzon-core:0.9.4 030
nifi-api-1.8.0.jarcpe:/a:apache:nifi:1.8.0org.apache.nifi:nifi-api:1.8.0 0Low21
red5-server-1.0.9-RELEASE.jarorg.red5:red5-server:1.0.9-RELEASE 028
jcl-over-slf4j-1.7.25.jarcpe:/a:slf4j:slf4j:1.7.25org.slf4j:jcl-over-slf4j:1.7.25 0Low28
jul-to-slf4j-1.7.25.jarcpe:/a:slf4j:slf4j:1.7.25org.slf4j:jul-to-slf4j:1.7.25 0Low27
log4j-over-slf4j-1.7.25.jarcpe:/a:slf4j:slf4j:1.7.25org.slf4j:log4j-over-slf4j:1.7.25 0Low28
logback-core-1.2.3.jarcpe:/a:logback:logback:1.2.3ch.qos.logback:logback-core:1.2.3 0Low27
spring-core-4.3.8.RELEASE.jarcpe:/a:pivotal:spring_framework:4.3.8
cpe:/a:pivotal_software:spring_framework:4.3.8
org.springframework:spring-core:4.3.8.RELEASEHigh8Highest25
red5-server-common-1.0.9-RELEASE.jarorg.red5:red5-server-common:1.0.9-RELEASE 027
mina-core-2.0.16.jarorg.apache.mina:mina-core:2.0.16 024
bcprov-jdk15on-1.56.jarcpe:/a:bouncycastle:bouncy-castle-crypto-package:1.56
cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.56
cpe:/a:bouncycastle:bouncy_castle_crypto_package:1.56
org.bouncycastle:bcprov-jdk15on:1.56High3Highest39
red5-io-1.0.9-RELEASE.jarorg.red5:red5-io:1.0.9-RELEASE 027
tika-core-1.14.jarcpe:/a:apache:tika:1.14org.apache.tika:tika-core:1.14High4Highest36
jmatio-1.2.jarorg.tallison:jmatio:1.2 018
apache-mime4j-core-0.7.2.jarcpe:/a:apache:james:0.7.2org.apache.james:apache-mime4j-core:0.7.2 0Low30
pdfbox-tools-2.0.3.jarcpe:/a:apache:pdfbox:2.0.3org.apache.pdfbox:pdfbox-tools:2.0.3 0Low23
jempbox-1.8.12.jarcpe:/a:apache:pdfbox:1.8.12org.apache.pdfbox:jempbox:1.8.12 0Low32
tagsoup-1.2.1.jarorg.ccil.cowan.tagsoup:tagsoup:1.2.1 015
metadata-extractor-2.9.1.jarcpe:/a:id:id-software:2.9.1com.drewnoakes:metadata-extractor:2.9.1 0Low18
xmpcore-5.1.2.jarcom.adobe.xmp:xmpcore:5.1.2 027
boilerpipe-1.1.0.jarcpe:/a:html-pages_project:html-pages:1.1.0de.l3s.boilerpipe:boilerpipe:1.1.0 0Low19
rome-1.5.1.jarcom.rometools:rome:1.5.1 023
rome-utils-1.5.1.jarcom.rometools:rome-utils:1.5.1 022
juniversalchardet-1.0.3.jarcom.googlecode.juniversalchardet:juniversalchardet:1.0.3 020
ehcache-core-2.6.11.jarnet.sf.ehcache:ehcache-core:2.6.11 016
isoparser-1.9.27.jarcpe:/a:boxes_project:boxes:1.9.27org.mp4parser:isoparser:1.9.27 0Low18
red5-service-1.0.9-RELEASE.jarorg.red5:red5-service:1.0.9-RELEASE 025
commons-daemon-1.0.15.jarcpe:/a:apache:apache_commons_daemon:1.0.15commons-daemon:commons-daemon:1.0.15 0Low33
mina-integration-beans-2.0.16.jarorg.apache.mina:mina-integration-beans:2.0.16 024
quartz-2.3.0.jarorg.quartz-scheduler:quartz:2.3.0 036
c3p0-0.9.5.2.jarcom.mchange:c3p0:0.9.5.2 021
mchange-commons-java-0.2.11.jarcom.mchange:mchange-commons-java:0.2.11 023
HikariCP-java6-2.3.13.jarcom.zaxxer:HikariCP-java6:2.3.13 030
javax.json-api-1.1.2.jarjavax.json:javax.json-api:1.1.2 030
vdx-core-1.1.6.jarorg.projectodd.vdx:vdx-core:1.1.6 022
vdx-wildfly-1.1.6.jarcpe:/a:wildfly:wildfly:1.1.6org.projectodd.vdx:vdx-wildfly:1.1.6 0Low22
undertow-core-2.0.13.Final.jario.undertow:undertow-core:2.0.13.Final 034
cal10n-api-0.8.1.jarch.qos.cal10n:cal10n-api:0.8.1 021
woodstox-core-5.0.3.jarcom.fasterxml.woodstox:woodstox-core:5.0.3 040
javax.json-1.1.2.jarorg.glassfish:javax.json:1.1.2 031
stax2-api-3.1.4.jarorg.codehaus.woodstox:stax2-api:3.1.4 026
jandex-2.0.5.Final.jarorg.jboss:jandex:2.0.5.Final 035
jboss-dmr-1.5.0.Final.jarorg.jboss:jboss-dmr:1.5.0.Final 028
staxmapper-1.3.0.Final.jarorg.jboss:staxmapper:1.3.0.Final 026
jboss-interceptors-api_1.2_spec-1.0.1.Final.jarorg.jboss.spec.javax.interceptor:jboss-interceptors-api_1.2_spec:1.0.1.Final 039
jboss-jacc-api_1.5_spec-1.0.2.Final.jarorg.jboss.spec.javax.security.jacc:jboss-jacc-api_1.5_spec:1.0.2.Final 039
jboss-jaspi-api_1.1_spec-1.0.2.Final.jarorg.jboss.spec.javax.security.auth.message:jboss-jaspi-api_1.1_spec:1.0.2.Final 039
jboss-classfilewriter-1.2.3.Final.jarorg.jboss.classfilewriter:jboss-classfilewriter:1.2.3.Final 039
jboss-vfs-3.2.14.Final.jarorg.jboss:jboss-vfs:3.2.14.Final 034
aesh-readline-1.10.jarorg.aesh:aesh-readline:1.10 020
aesh-extensions-1.6.jarorg.aesh:aesh-extensions:1.6 028
aesh-1.7.jarorg.aesh:aesh:1.7 028
jboss-invocation-1.5.1.Final.jarorg.jboss.invocation:jboss-invocation:1.5.1.Final 028
jboss-logging-3.3.2.Final.jarorg.jboss.logging:jboss-logging:3.3.2.Final 041
jul-to-slf4j-stub-1.0.1.Final.jarcpe:/a:slf4j:slf4j:1.0.1org.jboss.logging:jul-to-slf4j-stub:1.0.1.Final 0Low26
commons-logging-jboss-logging-1.0.0.Final.jarorg.jboss.logging:commons-logging-jboss-logging:1.0.0.Final 030
log4j-jboss-logmanager-1.1.6.Final.jarorg.jboss.logmanager:log4j-jboss-logmanager:1.1.6.Final 026
jboss-marshalling-2.0.6.Final.jarorg.jboss.marshalling:jboss-marshalling:2.0.6.Final 028
jboss-marshalling-river-2.0.6.Final.jarorg.jboss.marshalling:jboss-marshalling-river:2.0.6.Final 028
jboss-modules-1.8.6.Final.jarorg.jboss.modules:jboss-modules:1.8.6.Final 028
jboss-msc-1.4.3.Final.jarorg.jboss.msc:jboss-msc:1.4.3.Final 028
jboss-remoting-5.0.8.Final.jarorg.jboss.remoting:jboss-remoting:5.0.8.Final 034
remoting-jmx-3.0.0.Final.jarorg.jboss.remotingjmx:remoting-jmx:3.0.0.Final 028
slf4j-jboss-logmanager-1.0.3.GA.jarcpe:/a:slf4j:slf4j:1.0.3org.jboss.slf4j:slf4j-jboss-logmanager:1.0.3.GA 0Low28
jboss-stdio-1.0.2.GA.jarorg.jboss.stdio:jboss-stdio:1.0.2.GA 028
jboss-threads-2.3.2.Final.jarorg.jboss.threads:jboss-threads:2.3.2.Final 026
xnio-api-3.6.5.Final.jarorg.jboss.xnio:xnio-api:3.6.5.Final 043
xnio-nio-3.6.5.Final.jarorg.jboss.xnio:xnio-nio:3.6.5.Final 043
jansi-1.16.jarorg.fusesource.jansi:jansi:1.16 025
wildfly-common-1.4.0.Final.jarcpe:/a:wildfly:wildfly:1.4.0org.wildfly.common:wildfly-common:1.4.0.Final 0Low33
wildfly-config-gen-2.0.0.Final.jarcpe:/a:wildfly:wildfly:2.0.0org.wildfly.galleon-plugins:wildfly-config-gen:2.0.0.Final 0Low28
wildfly-openssl-java-1.0.6.Final.jarcpe:/a:wildfly:wildfly:1.0.6
cpe:/a:openssl_project:openssl:1.0.6
cpe:/a:openssl:openssl:1.0.6
org.wildfly.openssl:wildfly-openssl-java:1.0.6.FinalHigh8Low24
org.eclipse.jgit-5.0.2.201807311906-r.jarorg.eclipse.jgit:org.eclipse.jgit:5.0.2.201807311906-r 029
jsch-0.1.54.jarcpe:/a:jcraft:jsch:0.1.54com.jcraft:jsch:0.1.54 0Low22
jzlib-1.1.1.jarcpe:/a:jcraft:jzlib:1.1.1com.jcraft:jzlib:1.1.1 0Low22
JavaEWAH-1.1.6.jarcom.googlecode.javaewah:JavaEWAH:1.1.6 020
httpclient-4.5.2.jarcpe:/a:apache:httpclient:4.5.2org.apache.httpcomponents:httpclient:4.5.2 0Low29
httpcore-4.4.4.jarorg.apache.httpcomponents:httpcore:4.4.4 031
wildfly-core-security-6.0.2.Final.jarcpe:/a:wildfly:wildfly:6.0.2org.wildfly.core:wildfly-core-security:6.0.2.Final 0Low26
wildfly-elytron-1.6.0.Final.jarcpe:/a:wildfly:wildfly:1.6.0org.wildfly.security:wildfly-elytron:1.6.0.Final 0Low28
undertow-server-1.2.3.Final.jarcpe:/a:wildfly:wildfly:1.2.3org.wildfly.security.elytron-web:undertow-server:1.2.3.Final 0Low28
wildfly-client-config-1.0.1.Final.jarcpe:/a:wildfly:wildfly:1.0.1org.wildfly.client:wildfly-client-config:1.0.1.Final 0Low37
wildfly-discovery-client-1.1.1.Final.jarcpe:/a:wildfly:wildfly:1.1.1org.wildfly.discovery:wildfly-discovery-client:1.1.1.Final 0Low24
xml-resolver-1.2.jarxml-resolver:xml-resolver:1.2 020
kafka_2.12-2.0.1.jarcpe:/a:apache:kafka:2.0.1org.apache.kafka:kafka_2.12:2.0.1 0Low13
lz4-java-1.4.1.jarorg.lz4:lz4-java:1.4.1 026
snappy-java-1.1.7.1.jarorg.xerial.snappy:snappy-java:1.1.7.1 027
jackson-databind-2.9.7.jarcpe:/a:fasterxml:jackson:2.9.7
cpe:/a:fasterxml:jackson-databind:2.9.7
com.fasterxml.jackson.core:jackson-databind:2.9.7 0Low38
jackson-annotations-2.9.0.jarcpe:/a:fasterxml:jackson:2.9.0com.fasterxml.jackson.core:jackson-annotations:2.9.0 0Low36
jackson-core-2.9.7.jarcpe:/a:fasterxml:jackson:2.9.7com.fasterxml.jackson.core:jackson-core:2.9.7 0Low38
jopt-simple-5.0.4.jarnet.sf.jopt-simple:jopt-simple:5.0.4 019
metrics-core-2.2.0.jarcom.yammer.metrics:metrics-core:2.2.0 018
scala-library-2.12.6.jarcpe:/a:scala-lang:scala:2.12.6org.scala-lang:scala-library:2.12.6 0Low28
scala-logging_2.12-3.9.0.jarcom.typesafe.scala-logging:scala-logging_2.12:3.9.0 034
zkclient-0.10.jarcom.101tec:zkclient:0.10 020
zookeeper-3.4.13.jarcpe:/a:apache:zookeeper:3.4.13org.apache.zookeeper:zookeeper:3.4.13Medium1Low20
audience-annotations-0.5.0.jarorg.apache.yetus:audience-annotations:0.5.0 023
orc-core-1.4.4.jarorg.apache.orc:orc-core:1.4.4 025
protobuf-java-2.5.0.jarcpe:/a:google:protobuf:2.5.0com.google.protobuf:protobuf-java:2.5.0Medium1Highest26
commons-lang-2.6.jarcommons-lang:commons-lang:2.6 031
aircompressor-0.8.jario.airlift:aircompressor:0.8 024
hive-storage-api-2.2.1.jarcpe:/a:apache:hive:2.2.1org.apache.hive:hive-storage-api:2.2.1 0Low23
camel-core-2.22.2.jarcpe:/a:apache:camel:2.22.2org.apache.camel:camel-core:2.22.2 0Low32
jaxb-core-2.3.0.1.jarcom.sun.xml.bind:jaxb-core:2.3.0.1 027
jaxb-impl-2.3.0.1.jarcom.sun.xml.bind:jaxb-impl:2.3.0.1 030
jenkins-core-2.85.jarcpe:/a:jenkins:jenkins:2.85org.jenkins-ci.main:jenkins-core:2.85Medium27Highest18
icon-set-1.0.5.jarcpe:/a:jenkins:jenkins:1.0.5org.jenkins-ci.plugins.icon-shim:icon-set:1.0.5High107Low22
remoting-3.13.jarcpe:/a:jenkins:jenkins:3.13org.jenkins-ci.main:remoting:3.13 0Low15
constant-pool-scanner-1.2.jarorg.jenkins-ci:constant-pool-scanner:1.2 018
cli-2.85.jarcpe:/a:jenkins:jenkins:2.85org.jenkins-ci.main:cli:2.85Medium27Highest20
version-number-1.4.jarcpe:/a:jenkins:jenkins:1.4org.jenkins-ci:version-number:1.4High107Low18
crypto-util-1.1.jarcpe:/a:jenkins:jenkins:1.1org.jenkins-ci:crypto-util:1.1High107Low20
jtidy-4aug2000r7-dev-hudson-1.jarcpe:/a:html-tidy:tidy:-org.jvnet.hudson:jtidy:4aug2000r7-dev-hudson-1 0Low21
guice-4.0.jarcom.google.inject:guice:4.0 026
aopalliance-1.0.jaraopalliance:aopalliance:1.0 017
jna-posix-1.0.3-jenkins-1.jarcpe:/a:jruby:jruby:1.0.3org.jruby.ext.posix:jna-posix:1.0.3-jenkins-1High3Highest16
jnr-posix-3.0.41.jarcom.github.jnr:jnr-posix:3.0.41 019
jnr-ffi-2.1.4.jarcom.github.jnr:jnr-ffi:2.1.4 020
jffi-1.2.15.jarcom.github.jnr:jffi:1.2.15 020
jffi-1.2.15-native.jarcom.github.jnr:jffi:1.2.15 011
asm-analysis-5.0.3.jarorg.ow2.asm:asm-analysis:5.0.3 025
asm-tree-5.0.3.jarorg.ow2.asm:asm-tree:5.0.3 025
asm-util-5.0.3.jarorg.ow2.asm:asm-util:5.0.3 025
jnr-x86asm-1.0.2.jarcom.github.jnr:jnr-x86asm:1.0.2 018
jnr-constants-0.9.8.jarcom.github.jnr:jnr-constants:0.9.8 020
trilead-putty-extension-1.2.jarcpe:/a:putty:putty:1.2org.kohsuke:trilead-putty-extension:1.2 0Low22
trilead-ssh2-build-217-jenkins-11.jarcpe:/a:jenkins:ssh:-org.jenkins-ci:trilead-ssh2:build-217-jenkins-11Medium1Low17
eddsa-0.2.0.jarnet.i2p.crypto:eddsa:0.2.0 021
jbcrypt-1.0.0.jarcpe:/a:mindrot:jbcrypt:1.0.0org.connectbot.jbcrypt:jbcrypt:1.0.0 0Low19
stapler-groovy-1.252.jarorg.kohsuke.stapler:stapler-groovy:1.252 023
stapler-jelly-1.252.jarorg.kohsuke.stapler:stapler-jelly:1.252 022
commons-jelly-1.1-jenkins-20120928.jarcpe:/a:apache:commons-jelly:1.1org.jenkins-ci:commons-jelly:1.1-jenkins-20120928 0Low21
dom4j-1.6.1-jenkins-4.jarcpe:/a:dom4j_project:dom4j:1.6.1org.jenkins-ci.dom4j:dom4j:1.6.1-jenkins-4Medium1Highest21
stapler-jrebel-1.252.jarorg.kohsuke.stapler:stapler-jrebel:1.252 020
stapler-1.252.jarorg.kohsuke.stapler:stapler:1.252 020
commons-discovery-0.4.jarcommons-discovery:commons-discovery:0.4 026
tiger-types-2.2.jarorg.jvnet:tiger-types:2.2 014
windows-package-checker-1.2.jarorg.kohsuke:windows-package-checker:1.2 019
stapler-adjunct-zeroclipboard-1.3.5-1.jarcpe:/a:zeroclipboard_project:zeroclipboard:1.3.5.1org.kohsuke.stapler:stapler-adjunct-zeroclipboard:1.3.5-1 0Low17
stapler-adjunct-timeline-1.5.jarorg.kohsuke.stapler:stapler-adjunct-timeline:1.5 021
stapler-adjunct-codemirror-1.3.jarorg.kohsuke.stapler:stapler-adjunct-codemirror:1.3 011
bridge-method-annotation-1.13.jarcom.infradna.tool:bridge-method-annotation:1.13 020
json-lib-2.4-jenkins-2.jarorg.kohsuke.stapler:json-lib:2.4-jenkins-2 025
ezmorph-1.0.6.jarnet.sf.ezmorph:ezmorph:1.0.6 019
commons-httpclient-3.1-jenkins-1.jarcpe:/a:jenkins:jenkins:3.1commons-httpclient:commons-httpclient:3.1-jenkins-1 0Low21
junit-4.12.jarjunit:junit:4.12 022
hamcrest-core-1.3.jarorg.hamcrest:hamcrest-core:1.3 022
args4j-2.0.31.jarargs4j:args4j:2.0.31 021
annotation-indexer-1.12.jarorg.jenkins-ci:annotation-indexer:1.12 022
bytecode-compatibility-transformer-1.8.jarcpe:/a:jenkins:jenkins:1.8org.jenkins-ci:bytecode-compatibility-transformer:1.8High107Low18
asm5-5.0.1.jarorg.kohsuke:asm5:5.0.1 018
task-reactor-1.4.jarcpe:/a:jenkins:jenkins:1.4org.jenkins-ci:task-reactor:1.4High107Low20
localizer-1.24.jarorg.jvnet.localizer:localizer:1.24 018
antlr-2.7.6.jarantlr:antlr:2.7.6 013
xstream-1.4.7-jenkins-1.jarcpe:/a:xstream_project:xstream:1.4.7org.jvnet.hudson:xstream:1.4.7-jenkins-1Medium2Low35
jfreechart-1.0.9.jarjfree:jfreechart:1.0.9 021
jcommon-1.0.12.jarjfree:jcommon:1.0.12 021
ant-1.8.4.jarorg.apache.ant:ant:1.8.4 018
ant-launcher-1.8.4.jarorg.apache.ant:ant-launcher:1.8.4 021
commons-io-2.4.jarcommons-io:commons-io:2.4 033
commons-digester-2.1.jarcommons-digester:commons-digester:2.1 031
commons-compress-1.10.jarcpe:/a:apache:commons-compress:1.10org.apache.commons:commons-compress:1.10 0Low38
mail-1.4.4.jarcpe:/a:sun:javamail:1.4.4javax.mail:mail:1.4.4 0Low35
activation-1.1.1-hudson-1.jarorg.jvnet.hudson:activation:1.1.1-hudson-1 017
jaxen-1.1-beta-11.jarjaxen:jaxen:1.1-beta-11 024
commons-jelly-tags-fmt-1.0.jarcpe:/a:apache:commons-jelly:1.0.1.rc6commons-jelly:commons-jelly-tags-fmt:1.0High1Low15
commons-jelly-tags-xml-1.1.jarcpe:/a:apache:commons-jelly:1.1commons-jelly:commons-jelly-tags-xml:1.1 0Low25
commons-jelly-tags-define-1.0.1-hudson-20071021.jarcpe:/a:apache:commons-jelly:1.0.1.rc6org.jvnet.hudson:commons-jelly-tags-define:1.0.1-hudson-20071021High1Low20
commons-jexl-1.1-jenkins-20111212.jarorg.jenkins-ci:commons-jexl:1.1-jenkins-20111212 024
acegi-security-1.0.7.jarcpe:/a:acegisecurity:acegi-security:1.0.7org.acegisecurity:acegi-security:1.0.7Medium1Highest16
spring-dao-1.2.9.jarcpe:/a:pivotal_software:spring_framework:1.2.9
cpe:/a:springsource:spring_framework:1.2.9
cpe:/a:pivotal:spring_framework:1.2.9
cpe:/a:vmware:springsource_spring_framework:1.2.9
org.springframework:spring-dao:1.2.9High10Low25
oro-2.0.8.jaroro:oro:2.0.8 011
groovy-all-2.4.11.jarcpe:/a:apache:groovy:2.4.11org.codehaus.groovy:groovy-all:2.4.11 0Low33
jline-2.12.jarjline:jline:2.12 013
spring-aop-2.5.6.SEC03.jarcpe:/a:pivotal_software:spring_framework:2.5.6.sec03
cpe:/a:springsource:spring_framework:2.5.6.sec03
cpe:/a:pivotal:spring_framework:2.5.6.sec03
cpe:/a:vmware:springsource_spring_framework:2.5.6.sec03
org.springframework:spring-aop:2.5.6.SEC03High10Low28
xpp3-1.1.4c.jarxpp3:xpp3:1.1.4c 023
jstl-1.1.0.jarjavax.servlet:jstl:1.1.0 015
txw2-20110809.jarcom.sun.xml.txw2:txw2:20110809 022
stax-api-1.0-2.jarjavax.xml.stream:stax-api:1.0-2 017
relaxngDatatype-20020414.jarrelaxngDatatype:relaxngDatatype:20020414 010
commons-collections-3.2.2.jarcpe:/a:apache:commons_collections:3.2.2commons-collections:commons-collections:3.2.2 0Low37
winp-1.25.jarorg.jvnet.winp:winp:1.25 020
memory-monitor-1.9.jarcpe:/a:jenkins:jenkins:1.9org.jenkins-ci:memory-monitor:1.9High107Low20
wstx-asl-3.2.9.jarorg.codehaus.woodstox:wstx-asl:3.2.9 024
stax-api-1.0.1.jarstax:stax-api:1.0.1 019
jmdns-3.4.0-jenkins-3.jarorg.jenkins-ci:jmdns:3.4.0-jenkins-3 019
jna-4.2.1.jarnet.java.dev.jna:jna:4.2.1 027
akuma-1.10.jarorg.kohsuke:akuma:1.10 019
libpam4j-1.8.jarcpe:/a:libpam4j_project:libpam4j:1.8org.kohsuke:libpam4j:1.8Medium1Highest20
libzfs-0.8.jarorg.kohsuke:libzfs:0.8 025
embedded_su4j-1.1.jarcom.sun.solaris:embedded_su4j:1.1 015
sezpoz-1.12.jarnet.java.sezpoz:sezpoz:1.12 018
j-interop-2.0.6-kohsuke-1.jarorg.kohsuke.jinterop:j-interop:2.0.6-kohsuke-1 019
j-interopdeps-2.0.6-kohsuke-1.jarorg.kohsuke.jinterop:j-interopdeps:2.0.6-kohsuke-1 017
jcifs-1.2.19.jarorg.samba.jcifs:jcifs:1.2.19 016
robust-http-client-1.2.jarorg.jvnet.robust-http-client:robust-http-client:1.2 019
symbol-annotation-1.1.jarcpe:/a:jenkins:jenkins:1.1org.jenkins-ci:symbol-annotation:1.1High107Low17
commons-codec-1.8.jarcommons-codec:commons-codec:1.8 033
access-modifier-annotation-1.11.jarorg.kohsuke:access-modifier-annotation:1.11 018
commons-fileupload-1.3.1-jenkins-2.jarcpe:/a:apache:commons_fileupload:1.3.1commons-fileupload:commons-fileupload:1.3.1-jenkins-2High2Highest32
guava-11.0.1.jarcpe:/a:google:guava:11.0.1com.google.guava:guava:11.0.1Medium1Highest22
commons-cli-1.2.jarcommons-cli:commons-cli:1.2 031
commons-math3-3.1.1.jarorg.apache.commons:commons-math3:3.1.1 034
commons-net-3.6.jarcommons-net:commons-net:3.6 037
javax.servlet-api-3.1.0.jarjavax.servlet:javax.servlet-api:3.1.0 033
jetty-xml-9.3.19.v20170502.jarcpe:/a:jetty:jetty:9.3.19.v20170502
cpe:/a:eclipse:jetty:9.3.19
org.eclipse.jetty:jetty-xml:9.3.19.v20170502High5Low38
jsp-api-2.1.jarjavax.servlet.jsp:jsp-api:2.1 015
jersey-core-1.19.jarcom.sun.jersey:jersey-core:1.19 026
jsr311-api-1.1.1.jarjavax.ws.rs:jsr311-api:1.1.1 025
jersey-servlet-1.19.jarcom.sun.jersey:jersey-servlet:1.19 026
jersey-json-1.19.jarcom.sun.jersey:jersey-json:1.19 026
jettison-1.1.jarorg.codehaus.jettison:jettison:1.1 020
jackson-core-asl-1.9.2.jarcpe:/a:fasterxml:jackson:1.9.2org.codehaus.jackson:jackson-core-asl:1.9.2 0Low29
jersey-server-1.19.jarcom.sun.jersey:jersey-server:1.19 026
log4j-1.2.17.jarcpe:/a:apache:log4j:1.2.17log4j:log4j:1.2.17 0Low27
commons-configuration2-2.1.1.jarorg.apache.commons:commons-configuration2:2.1.1 038
commons-lang3-3.4.jarorg.apache.commons:commons-lang3:3.4 036
slf4j-log4j12-1.7.25.jarcpe:/a:slf4j:slf4j:1.7.25org.slf4j:slf4j-log4j12:1.7.25 0Low28
avro-1.7.7.jarorg.apache.avro:avro:1.7.7 032
paranamer-2.3.jarcom.thoughtworks.paranamer:paranamer:2.3 018
re2j-1.1.jarcom.google.re2j:re2j:1.1 016
gson-2.2.4.jarcom.google.code.gson:gson:2.2.4 028
hadoop-auth-3.1.1.jarcpe:/a:apache:hadoop:3.1.1org.apache.hadoop:hadoop-auth:3.1.1 0Low23
nimbus-jose-jwt-4.41.1.jarcpe:/a:connect2id:nimbus_jose+jwt:4.41.1com.nimbusds:nimbus-jose-jwt:4.41.1 0Low42
jcip-annotations-1.0-1.jarcom.github.stephenc.jcip:jcip-annotations:1.0-1 020
json-smart-2.3.jarnet.minidev:json-smart:2.3 029
accessors-smart-1.2.jarnet.minidev:accessors-smart:1.2 027
curator-framework-2.12.0.jarcpe:/a:apache:zookeeper:2.12.0org.apache.curator:curator-framework:2.12.0Medium2Low24
curator-client-2.12.0.jarorg.apache.curator:curator-client:2.12.0 024
curator-recipes-2.12.0.jarorg.apache.curator:curator-recipes:2.12.0 024
jsr305-3.0.0.jarcom.google.code.findbugs:jsr305:3.0.0 018
htrace-core4-4.1.0-incubating.jarorg.apache.htrace:htrace-core4:4.1.0-incubating 018
kerb-simplekdc-1.0.1.jarorg.apache.kerby:kerb-simplekdc:1.0.1 025
kerb-client-1.0.1.jarorg.apache.kerby:kerb-client:1.0.1 025
kerby-config-1.0.1.jarorg.apache.kerby:kerby-config:1.0.1 025
kerb-core-1.0.1.jarorg.apache.kerby:kerb-core:1.0.1 025
kerby-pkix-1.0.1.jarorg.apache.kerby:kerby-pkix:1.0.1 025
kerby-asn1-1.0.1.jarorg.apache.kerby:kerby-asn1:1.0.1 025
kerby-util-1.0.1.jarorg.apache.kerby:kerby-util:1.0.1 025
kerb-common-1.0.1.jarorg.apache.kerby:kerb-common:1.0.1 025
kerb-crypto-1.0.1.jarorg.apache.kerby:kerb-crypto:1.0.1 025
kerb-util-1.0.1.jarorg.apache.kerby:kerb-util:1.0.1 025
token-provider-1.0.1.jarorg.apache.kerby:token-provider:1.0.1 025
kerb-admin-1.0.1.jarorg.apache.kerby:kerb-admin:1.0.1 025
kerb-server-1.0.1.jarorg.apache.kerby:kerb-server:1.0.1 025
kerb-identity-1.0.1.jarorg.apache.kerby:kerb-identity:1.0.1 025
kerby-xdr-1.0.1.jarorg.apache.kerby:kerby-xdr:1.0.1 025
jetty-http-9.4.14.v20181114.jarcpe:/a:eclipse:jetty:9.4.14.v20181114
cpe:/a:jetty:jetty:9.4.14.v20181114
org.eclipse.jetty:jetty-http:9.4.14.v20181114 0Low40
jetty-io-9.4.14.v20181114.jarorg.eclipse.jetty:jetty-io:9.4.14.v20181114 038
plexus-archiver-3.6.0.jarcpe:/a:archiver_project:archiver:3.6.0org.codehaus.plexus:plexus-archiver:3.6.0 0Low20
plexus-utils-3.1.0.jarorg.codehaus.plexus:plexus-utils:3.1.0 022
plexus-io-3.0.1.jarorg.codehaus.plexus:plexus-io:3.0.1 021
snappy-0.4.jarorg.iq80.snappy:snappy:0.4 018
xz-1.8.jarcpe:/a:tukaani:xz:1.8org.tukaani:xz:1.8Medium1Low26
artemis-cli-1.4.0.jar: artemis-service.exe 05
jolokia-war-1.3.3.war: jolokia-core-1.3.3.jarcpe:/a:jolokia:jolokia:1.3.3org.jolokia:jolokia-core:1.3.3 0Low19
jolokia-war-1.3.3.war: json-simple-1.1.1.jarcom.googlecode.json-simple:json-simple:1.1.1 019
ehcache-core-2.6.11.jar: sizeof-agent.jarnet.sf.ehcache:sizeof-agent:1.0.1 026
jansi-1.16.jar: jansi.dll 02
jansi-1.16.jar: jansi.dll 02
wildfly-openssl-windows-x86_64-1.0.6.Final.jar: wfssl.dll 02
wildfly-openssl-windows-i386-1.0.6.Final.jar: wfssl.dll 02
snappy-java-1.1.7.1.jar: snappyjava.dll 02
snappy-java-1.1.7.1.jar: snappyjava.dll 02
jffi-1.2.15-native.jar: jffi-1.2.dll 04
jffi-1.2.15-native.jar: jffi-1.2.dll 04
jline-2.12.jar: jansi.dll 02
jline-2.12.jar: jansi.dll 02
winp-1.25.jar: winp.dll 02
winp-1.25.jar: winp.x64.dll 04
jna-4.2.1.jar: jnidispatch.dll 02
jna-4.2.1.jar: jnidispatch.dll 02
jna-4.2.1.jar: jnidispatch.dll 02
jetty-all-9.3.10.v20160621-uber.jar (shaded: org.eclipse.jetty:jetty-io:9.3.10.v20160621)org.eclipse.jetty:jetty-io:9.3.10.v20160621 013
jetty-all-9.3.10.v20160621-uber.jar (shaded: org.eclipse.jetty:jetty-util:9.3.10.v20160621)cpe:/a:eclipse:jetty:9.3.10
cpe:/a:jetty:jetty:9.3.10.v20160621
org.eclipse.jetty:jetty-util:9.3.10.v20160621High5Low15
aesh-readline-1.10.jar (shaded: org.aesh:aesh-terminal-api:1.10)org.aesh:aesh-terminal-api:1.10 013
jansi-1.16.jar (shaded: org.fusesource.hawtjni:hawtjni-runtime:1.15)org.fusesource.hawtjni:hawtjni-runtime:1.15 013
jansi-1.16.jar (shaded: org.fusesource.jansi:jansi-${platform}:1.7)cpe:/a:id:id-software:1.7org.fusesource.jansi:jansi-${platform}:1.7 0Low16
wildfly-galleon-plugins-2.0.0.Final.jar (shaded: org.wildfly.galleon-plugins:wildfly-galleon-plugins:2.0.0.Final)cpe:/a:wildfly:wildfly:2.0.0org.wildfly.galleon-plugins:wildfly-galleon-plugins:2.0.0.Final 0Low13
wildfly-galleon-plugins-2.0.0.Final.jar (shaded: org.jboss:jandex:2.0.3.Final)org.jboss:jandex:2.0.3.Final 012
wildfly-galleon-plugins-2.0.0.Final.jar (shaded: org.jboss:staxmapper:1.1.0.Final)cpe:/a:st_project:st:1.1.0org.jboss:staxmapper:1.1.0.FinalMedium1Low12
wildfly-galleon-plugins-2.0.0.Final.jar (shaded: com.googlecode.java-diff-utils:diffutils:1.3.0)com.googlecode.java-diff-utils:diffutils:1.3.0 011
jansi-1.16.jar (shaded: org.fusesource.jansi:jansi:1.16)cpe:/a:id:id-software:1.16org.fusesource.jansi:jansi:1.16 0Low13
wildfly-elytron-tool-1.4.0.Final.jar (shaded: commons-cli:commons-cli:1.3.1)commons-cli:commons-cli:1.3.1 016
jaxb-core-2.3.0.1.jar (shaded: org.glassfish.jaxb:txw2:2.3.0.1)org.glassfish.jaxb:txw2:2.3.0.1 013
jaxb-core-2.3.0.1.jar (shaded: org.glassfish.jaxb:jaxb-core:2.3.0.1)org.glassfish.jaxb:jaxb-core:2.3.0.1 013
jaxb-core-2.3.0.1.jar (shaded: com.sun.istack:istack-commons-runtime:3.0.5)com.sun.istack:istack-commons-runtime:3.0.5 011
jaxb-impl-2.3.0.1.jar (shaded: org.glassfish.jaxb:jaxb-runtime:2.3.0.1)org.glassfish.jaxb:jaxb-runtime:2.3.0.1 013
htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.4.0)cpe:/a:fasterxml:jackson:2.4.0com.fasterxml.jackson.core:jackson-core:2.4.0 0Low16
htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0)cpe:/a:fasterxml:jackson:2.4.0
cpe:/a:fasterxml:jackson-databind:2.4.0
com.fasterxml.jackson.core:jackson-databind:2.4.0High5Highest16
htrace-core4-4.1.0-incubating.jar (shaded: commons-logging:commons-logging:1.1.1)commons-logging:commons-logging:1.1.1 016

Dependencies

xercesImpl-2.12.0.jar

Description:

 
      Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

    The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.

    Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.

    Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.

    Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.  
	

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\xerces\xercesImpl\2.12.0\xercesImpl-2.12.0.jar
MD5: b89632b53c4939a2982bcb52806f6dec
SHA1: f02c844149fd306601f20e0b34853a670bef7fa2
SHA256:b50d3a4ca502faa4d1c838acb8aa9480446953421f7327e338c5dda3da5e76d0
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: xerces:xercesImpl:2.12.0  Confidence:Highest
  • cpe: cpe:/a:apache:xerces2_java:2.12.0  Confidence:Low  

xml-apis-1.4.01.jar

Description:

 xml-commons provides an Apache-hosted set of DOM, SAX, and 
    JAXP interfaces for use in other xml-based projects. Our hope is that we 
    can standardize on both a common version and packaging scheme for these 
    critical XML standards interfaces to make the lives of both our developers 
    and users easier. The External Components portion of xml-commons contains 
    interfaces that are defined by external standards organizations. For DOM, 
    that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for 
    JAXP it's Sun.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
The SAX License: http://www.saxproject.org/copying.html
The W3C License: http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/java-binding.zip
File Path: C:\Users\Queue\.m2\repository\xml-apis\xml-apis\1.4.01\xml-apis-1.4.01.jar
MD5: 7eaad6fea5925cca6c36ee8b3e02ac9d
SHA1: 3789d9fada2d3d458c4ba2de349d48780f381ee3
SHA256:a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: xml-apis:xml-apis:1.4.01  Confidence:Highest

slf4j-api-1.7.22.jbossorg-1.jar

Description:

 The slf4j API

File Path: C:\Users\Queue\.m2\repository\org\slf4j\slf4j-api\1.7.22.jbossorg-1\slf4j-api-1.7.22.jbossorg-1.jar
MD5: 3552692dbae02885ec3d7a5b1e92426a
SHA1: 3f75229a2b2f1c2f12567d14e969acea7955e550
SHA256:510a1ab7f6642542e97a5edd6bc5b4de5f1043ab0a76ed516d633e3eabe4853d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:slf4j:slf4j:1.7.22  Confidence:Low  
  • maven: org.slf4j:slf4j-api:1.7.22.jbossorg-1  Confidence:Highest

artemis-boot-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-boot\1.4.0\artemis-boot-1.4.0.jar
MD5: 3870bc09090541140643bb40c5867d5a
SHA1: 2147c2e1d22fcab778be200356aea2ea37d3f2e8
SHA256:b74006fce506b8cd6b9073be26553a61e2233b7c3ea22aecec191aa51dff1242
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-boot:1.4.0  Confidence:Highest

artemis-server-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-server\1.4.0\artemis-server-1.4.0.jar
MD5: 5615914fa5a4351b70e724e3467a2b27
SHA1: 4250e60ba0cebf83615521ac77860cfbdb43bee6
SHA256:7aff35aac4bcc691989e9e2e9a0c335e7f62314511db238911eb838eca537587
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-server:1.4.0  Confidence:Highest

artemis-commons-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-commons\1.4.0\artemis-commons-1.4.0.jar
MD5: b00151445c93f11ae2924988c090f66e
SHA1: da1b915a473b774b8f7f17fee6f7e8b0372f8467
SHA256:10b66d717548665ca70c11ae680eeee26ce30e6bfc33c300b5901e8307cafcf5
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-commons:1.4.0  Confidence:Highest

artemis-selector-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-selector\1.4.0\artemis-selector-1.4.0.jar
MD5: 85453000a645749d8929b8e694bbe94d
SHA1: 9a3b0af888bf4d098f752b200b134d6fbbc01418
SHA256:f7529358795d3614ab070505f1e4a546ba56d81d918ab6110cbb560a4e5ce0c8
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-selector:1.4.0  Confidence:Highest

artemis-journal-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-journal\1.4.0\artemis-journal-1.4.0.jar
MD5: 702adc682d8e0e9dc42edee8cb78a252
SHA1: 5dc1d72f739e4b1c02b36480efb186eeed1204ec
SHA256:1db320b9974c283040f6b18553c8e8e8007d00ee5b1fdda2792ac998cd15bb82
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-journal:1.4.0  Confidence:Highest

netty-all-4.0.39.Final.jar

File Path: C:\Users\Queue\.m2\repository\io\netty\netty-all\4.0.39.Final\netty-all-4.0.39.Final.jar
MD5: 7714a826b9f07422ce7bbcbe20de918c
SHA1: e4dfec34a8eebdbc4087210760e24c783660bd09
SHA256:21db430da144caa959609f006850d440d9df6d5a2b6320fb53da59700d378a89
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:netty_project:netty:4.0.39  Confidence:Low  
  • maven: io.netty:netty-all:4.0.39.Final  Confidence:Highest

artemis-dto-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-dto\1.4.0\artemis-dto-1.4.0.jar
MD5: 7e880c88749231ad0f2cea45556754ae
SHA1: 5901497b28d00c785d6f35fdb26bebbaeb84fa03
SHA256:2ec855c8f903be58e5c0844c12ab348c63f9675bd9f6c56d8985cad97d2ae2c1
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-dto:1.4.0  Confidence:Highest

artemis-cli-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-cli\1.4.0\artemis-cli-1.4.0.jar
MD5: f857333e46c5b574c6bec580b8e34f93
SHA1: 8b85f14c1b0d2bfd07e4e793da9f8e51143fd5aa
SHA256:9ddd42fc78fbcb84672b6a5295b5a5c16224d5665a5953a126e3fe19d200c5e9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-cli:1.4.0  Confidence:Highest

artemis-jms-server-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-jms-server\1.4.0\artemis-jms-server-1.4.0.jar
MD5: f5ab5cf0d41bf9535da7595dd6379c92
SHA1: 2f7058c4c9f8e732723b2fc995f24440a5b14fb1
SHA256:4252b05625ad22370041200860c6e35fb257267ea9ee0c53e87a876e9bbb9d53
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-jms-server:1.4.0  Confidence:Highest

artemis-service-extensions-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-service-extensions\1.4.0\artemis-service-extensions-1.4.0.jar
MD5: bb5ad723249af8951ce0b1f561fd359d
SHA1: 7838c0ee1f7f2c125f60e44f0561e179acaac55d
SHA256:d1f4fb7aff45bdf71a37abb7b5d9b75058782a4c6c1294551686057fde2911bb
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-service-extensions:1.4.0  Confidence:Highest

geronimo-jms_2.0_spec-1.0-alpha-2.jar

Description:

 Java Message Service 2.0 API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\geronimo\specs\geronimo-jms_2.0_spec\1.0-alpha-2\geronimo-jms_2.0_spec-1.0-alpha-2.jar
MD5: bd94cfcc9f711642d280681330b14844
SHA1: 8d8a4d5a80138ba4ebc7b5509989e3d7013c7e74
SHA256:62a109edef3de718b0cb600bf040b4be5e32c683a57ee16f9f8a89537bf5da51
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.geronimo.specs:geronimo-jms_2.0_spec:1.0-alpha-2  Confidence:Highest

geronimo-ejb_3.0_spec-1.0.1.jar

Description:

 Provides open-source implementations of Sun specifications.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\geronimo\specs\geronimo-ejb_3.0_spec\1.0.1\geronimo-ejb_3.0_spec-1.0.1.jar
MD5: 68fcefd6e5603d976fc885f5152a007b
SHA1: d79076ee74c2349840a019c8d3af0b70a7d4a424
SHA256:01149629423968bac94bc2ca71e90cdf45456e5846d77a8fd67f4b86bac2e78d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.geronimo.specs:geronimo-ejb_3.0_spec:1.0.1  Confidence:Highest

geronimo-jta_1.1_spec-1.1.1.jar

Description:

 Provides open-source implementations of Sun specifications.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\geronimo\specs\geronimo-jta_1.1_spec\1.1.1\geronimo-jta_1.1_spec-1.1.1.jar
MD5: 4aa8d50456bcec0bf6f032ceb182ad64
SHA1: aabab3165b8ea936b9360abbf448459c0d04a5a4
SHA256:3a0c3c1bbc2efe8383969574922791959670ef547d6c897496915617025c3023
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.geronimo.specs:geronimo-jta_1.1_spec:1.1.1  Confidence:Highest

artemis-jms-client-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-jms-client\1.4.0\artemis-jms-client-1.4.0.jar
MD5: dbbe5f537d29381c45a114a21d5831e8
SHA1: 6f8b8d7cf8071502bb380a4051e0c127737ae877
SHA256:5d9fe6efc20c297737063da93707fc9b8618db3b740c85144ee5ed10c9c1d100
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-jms-client:1.4.0  Confidence:Highest

artemis-ra-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-ra\1.4.0\artemis-ra-1.4.0.jar
MD5: 0d96684868245911ea911e3f3c832111
SHA1: b781f57265b12e94b3d0f90c3a6458bbef6b2aa8
SHA256:e6d7fa3774def7a027af266e24bd3fc9ee98b08d82966a1e08e3591dd9288804
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-ra:1.4.0  Confidence:Highest

artemis-spring-integration-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-spring-integration\1.4.0\artemis-spring-integration-1.4.0.jar
MD5: a442a62720273061cae54902ef23fe93
SHA1: ade5cd5246f83170306c450fd56fc8f5c3037302
SHA256:a108ebe3ac6c7253d7bce74da724992e014e45b131fa97d5ce35e17ce6eb5c63
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-spring-integration:1.4.0  Confidence:Highest

spring-tx-3.1.4.RELEASE.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\springframework\spring-tx\3.1.4.RELEASE\spring-tx-3.1.4.RELEASE.jar
MD5: 07f5b208a5f1cf8e4a938af275ee2bfb
SHA1: e7cd40e53940e26f24f5500a084b45f57fabaa01
SHA256:a6fe4041956a377e8eeedb54ddb6984f397af0bc765d57285d73ff4427a18f28
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2013-4152  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2013-6429  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Vulnerable Software & Versions: (show all)

CVE-2014-0225  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Vulnerable Software & Versions: (show all)

CVE-2014-1904  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Vulnerable Software & Versions: (show all)

CVE-2014-3578  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.

Vulnerable Software & Versions: (show all)

CVE-2014-3625  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

artemis-vertx-integration-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-vertx-integration\1.4.0\artemis-vertx-integration-1.4.0.jar
MD5: 5a760e356d8e66be2ed24829766884c3
SHA1: 24cae9586d895e80c45c158364326e9603c719c4
SHA256:b332ce178fb70ab15890626fbf4915611c3a6d371c55ec00098090590101a76f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-vertx-integration:1.4.0  Confidence:Highest

artemis-rest-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\rest\artemis-rest\1.4.0\artemis-rest-1.4.0.jar
MD5: c1a87bd28788fa0b06b7297aa9a4991c
SHA1: 682562566e65da4a1af940510a5cd6e271dac282
SHA256:0458ef07773fe04bc59dfb647f7b4bf5c626d992418001f682963b9e606eef39
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:activemq_artemis:1.4.0  Confidence:Low  
  • maven: org.apache.activemq.rest:artemis-rest:1.4.0  Confidence:Highest

CVE-2015-3208  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

XML external entity (XXE) vulnerability in the XPath selector component in Artemis ActiveMQ before commit 48d9951d879e0c8cbb59d4b64ab59d53ef88310d allows remote attackers to have unspecified impact via unknown vectors.

Vulnerable Software & Versions:

resteasy-jaxrs-3.0.17.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\resteasy\resteasy-jaxrs\3.0.17.Final\resteasy-jaxrs-3.0.17.Final.jar
MD5: 78a9d13d5d006eb1df141bbc4d3428b6
SHA1: cddcf44126949f1da1675ef85ee4bcaecde5e524
SHA256:2c93d54090cf7eb8defed123ed7f6a3b55e88a45826eb5ee7e541609ff4de033
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.resteasy:resteasy-jaxrs:3.0.17.Final  Confidence:Highest

jboss-jaxrs-api_2.0_spec-1.0.0.Final.jar

Description:

 JSR 339: JAX-RS 2.0: The Java(TM) API for RESTful Web Services

License:

Common Development and Distribution License: http://repository.jboss.org/licenses/cddl.txt
GNU General Public License, Version 2 with the Classpath Exception: http://repository.jboss.org/licenses/gpl-2.0-ce.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\spec\javax\ws\rs\jboss-jaxrs-api_2.0_spec\1.0.0.Final\jboss-jaxrs-api_2.0_spec-1.0.0.Final.jar
MD5: 1d46206cd0a2cc4664bec37af61b1c6d
SHA1: dbf29e00dee135ef537b94167aa08b883f4d4cbf
SHA256:311dc2530b1a8398f1def36f688e739f5261b2e13a9e4b4a577f9df821ce6569
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.spec.javax.ws.rs:jboss-jaxrs-api_2.0_spec:1.0.0.Final  Confidence:Highest

jboss-annotations-api_1.2_spec-1.0.0.Final.jar

Description:

 JSR 250: Common Annotations for the Java(TM) Platform

License:

CDDL or GPLv2 with exceptions: https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\org\jboss\spec\javax\annotation\jboss-annotations-api_1.2_spec\1.0.0.Final\jboss-annotations-api_1.2_spec-1.0.0.Final.jar
MD5: 5f6032592ce12619333ee3330cdebf08
SHA1: 6d7ff02a645227876ed550900d32d618b8f0d556
SHA256:bb979cac95ef2748bc85d4b8151bef88b9a203d03068fbe799c6e6162c950780
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.spec.javax.annotation:jboss-annotations-api_1.2_spec:1.0.0.Final  Confidence:Highest

activation-1.1.1.jar

Description:

 The JavaBeans(TM) Activation Framework is used by the JavaMail(TM) API to manage MIME data

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: C:\Users\Queue\.m2\repository\javax\activation\activation\1.1.1\activation-1.1.1.jar
MD5: 46a37512971d8eca81c3fcf245bf07d2
SHA1: 485de3a253e23f645037828c07f1d7f1af40763a
SHA256:ae475120e9fcd99b4b00b38329bd61cdc5eb754eee03fe66c01f50e137724f99
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: javax.activation:activation:1.1.1  Confidence:Highest

jcip-annotations-1.0.jar

File Path: C:\Users\Queue\.m2\repository\net\jcip\jcip-annotations\1.0\jcip-annotations-1.0.jar
MD5: 9d5272954896c5a5d234f66b7372b17a
SHA1: afba4942caaeaf46aab0b976afd57cc7c181467e
SHA256:be5805392060c71474bf6c9a67a099471274d30b83eef84bfc4e0889a4f1dcc0
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: net.jcip:jcip-annotations:1.0  Confidence:Highest

resteasy-jaxb-provider-3.0.17.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\resteasy\resteasy-jaxb-provider\3.0.17.Final\resteasy-jaxb-provider-3.0.17.Final.jar
MD5: 27cd6c9548b862ff77e0008a82ed874d
SHA1: 897e60634f401548fd2d6289cc3cc3d10f80d08d
SHA256:76fd66235a2636ef46d5ee7096b72979a611a8499359922cb64b5fc57228e1e1
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.resteasy:resteasy-jaxb-provider:3.0.17.Final  Confidence:Highest

resteasy-jackson-provider-3.0.17.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\resteasy\resteasy-jackson-provider\3.0.17.Final\resteasy-jackson-provider-3.0.17.Final.jar
MD5: 2e3a7678d2b47d0975cbffffa51df688
SHA1: e655ed57f11291947da4afe3e68086884ec1f131
SHA256:1cf728ac5ce3aaf1c9c26bdb3ab1639dd6a359b280f98c73eda1b3f4e67dd430
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.resteasy:resteasy-jackson-provider:3.0.17.Final  Confidence:Highest

resteasy-atom-provider-3.0.17.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\resteasy\resteasy-atom-provider\3.0.17.Final\resteasy-atom-provider-3.0.17.Final.jar
MD5: 57f174f1cabffb769e3088eb9613586f
SHA1: b19026890f8e259495faaf5b482f7e704a1f2bb1
SHA256:f89c35dd977ae4310ca19faf1a21a09380b0efd3f526ff067f4b481d76bada2d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.resteasy:resteasy-atom-provider:3.0.17.Final  Confidence:Highest

tjws-3.0.17.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\resteasy\tjws\3.0.17.Final\tjws-3.0.17.Final.jar
MD5: c1b7beea201682c3d8da0cde1ee86840
SHA1: a29a2760a6649efdf3377077502be2673b88afb4
SHA256:df2f44d6716934912227bbf9ef24715a44e9e91336ba6f5468f160de5439e2bb
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.resteasy:tjws:3.0.17.Final  Confidence:Highest

servlet-api-2.5.jar

File Path: C:\Users\Queue\.m2\repository\javax\servlet\servlet-api\2.5\servlet-api-2.5.jar
MD5: 69ca51af4e9a67a1027a7f95b52c3e8f
SHA1: 5959582d97d8b61f4d154ca9e495aafd16726e34
SHA256:c658ea360a70faeeadb66fb3c90a702e4142a0ab7768f9ae9828678e0d9ad4dc
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: javax.servlet:servlet-api:2.5  Confidence:Highest

geronimo-annotation_1.1_spec-1.0.1.jar

Description:

 Annotation spec 1.1 API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\geronimo\specs\geronimo-annotation_1.1_spec\1.0.1\geronimo-annotation_1.1_spec-1.0.1.jar
MD5: 0108e7a68a084e4cbd41520785028752
SHA1: db45e16df8f72e3d6bf2d0117cb5665176c1d520
SHA256:e384dd365fe3d0912af967343c094087f1443b569f4cfc7d1418f145d6b94667
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.geronimo.specs:geronimo-annotation_1.1_spec:1.0.1  Confidence:Highest

artemis-aerogear-integration-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-aerogear-integration\1.4.0\artemis-aerogear-integration-1.4.0.jar
MD5: 3b6bc22c9293dbaafffbcc14f522c99f
SHA1: 8f3ef666edbda20ec45aaefad5bca97539890e42
SHA256:c9a03dd75f94fe43f0684e05e905f1d561bb1c28ca34baa72b378f3060ae9384
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-aerogear-integration:1.4.0  Confidence:Highest

unifiedpush-java-client-1.0.0.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\aerogear\unifiedpush-java-client\1.0.0\unifiedpush-java-client-1.0.0.jar
MD5: e77842ba616db14852bc43b09456d1be
SHA1: 111e2c7ad74f316eb5020880961453c97ab5c29f
SHA256:88bdc63438c8b10aebd4c20ef9e5acf16bd3c942d55e290039e313ce7aabb02e
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.aerogear:unifiedpush-java-client:1.0.0  Confidence:Highest

base64-2.3.8.jar

Description:

 A Java class providing very fast Base64 encoding and decoding 
               in the form of convenience methods and input/output streams.
  

License:

Public domain
File Path: C:\Users\Queue\.m2\repository\net\iharder\base64\2.3.8\base64-2.3.8.jar
MD5: 9a9828f0caa016a2f3e0c90fe3af771b
SHA1: 7d2e2cea90cc51169fd02a35888820ab07f6d02f
SHA256:bbf41fda22877a538f6bc2d5ad0aa372a7ddf4a756af3386aa09d3d4eea84f7f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: net.iharder:base64:2.3.8  Confidence:Highest

artemis-web-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-web\1.4.0\artemis-web-1.4.0.jar
MD5: bc4169101166e194d4fb9aa5dada907e
SHA1: 2112fb3393b425063486c64546dba8efdcc545b8
SHA256:b0ce4d995907308fba425d1efd559a9bcf00d43d6da576ebce0ff69b7044c551
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-web:1.4.0  Confidence:Highest

artemis-core-client-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-core-client\1.4.0\artemis-core-client-1.4.0.jar
MD5: adc22eba71b1de83442dbc61c8341121
SHA1: 1154294a0bf1f3a6a7e2fd9c990541671c75a49c
SHA256:23705a0cae1eb9971982b7d4f155a89f72ff823c026b54d1ef4e8ec83f45881f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-core-client:1.4.0  Confidence:Highest

jgroups-3.6.9.Final.jar

Description:

 
        Reliable cluster communication toolkit
    

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: C:\Users\Queue\.m2\repository\org\jgroups\jgroups\3.6.9.Final\jgroups-3.6.9.Final.jar
MD5: a61164494bd8dbdb27a1aa70677faba8
SHA1: 91f48c72e00e68dd48e048e1f008c58c89712dee
SHA256:006cb0ca4b7358e2ae778afe7f7056786fcd4d4b3b02ae7377bb778baf6be196
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jgroups:jgroups:3.6.9.Final  Confidence:Highest

artemis-proton-plug-1.4.0.jar

Description:

 The Apache Software Foundation provides support for the Apache community of open-source software projects.    The Apache projects are characterized by a collaborative, consensus based development process, an open and    pragmatic software license, and a desire to create high quality software that leads the way in its field.    We consider ourselves not simply a group of projects sharing a server, but rather a community of developers    and users.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-proton-plug\1.4.0\artemis-proton-plug-1.4.0.jar
MD5: e384a6e2b0a4b13865067b21540d70dc
SHA1: c1f9621fba7e514920e77905cbc2c8e4acfda591
SHA256:ce340075e155fb14fcbb906fd612b0b1b1b44f4c183fa87b12c49aecb92a2129
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2010-1151  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Race condition in the mod_auth_shadow module for the Apache HTTP Server allows remote attackers to bypass authentication, and read and possibly modify data, via vectors related to improper interaction with an external helper application for validation of credentials.

Vulnerable Software & Versions:

CVE-2014-3581  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.

Vulnerable Software & Versions: (show all)

proton-j-0.12.2.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\qpid\proton-j\0.12.2\proton-j-0.12.2.jar
MD5: e59f6024878406130286ae9b035a4c0d
SHA1: ce444a16c864c8970569350616820708d994a082
SHA256:edd19e3344fe9e5a04a9a21acbea5d29ad2552a64775ce463f165214c01bbec6
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2016-4467  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

The C client and C-based client bindings in the Apache Qpid Proton library before 0.13.1 on Windows do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when using the SChannel-based security layer, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

Vulnerable Software & Versions: (show all)

jboss-logging-processor-2.0.0.Alpha2.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\logging\jboss-logging-processor\2.0.0.Alpha2\jboss-logging-processor-2.0.0.Alpha2.jar
MD5: abac374a7fcf527dd2bf42bacce94259
SHA1: 99ebc6bf188bed5f2f1e013643bc39f1833fabe6
SHA256:5f64eeb46d75dca27ed83eb1ad8f6b3a52c47d94935698ca76265e2460b82931
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.logging:jboss-logging-processor:2.0.0.Alpha2  Confidence:Highest

jboss-logging-annotations-2.0.0.Alpha2.jar

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\logging\jboss-logging-annotations\2.0.0.Alpha2\jboss-logging-annotations-2.0.0.Alpha2.jar
MD5: 667501a5323801c391e6574e0dfbcf09
SHA1: 1a3168fb4fcd8c0e7d5fb28590dd077e6df584b8
SHA256:ca3d60d719f222bbd09b9ba63145f8b0081b86fb93feae3f40c76bb26ffa66fa
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.logging:jboss-logging-annotations:2.0.0.Alpha2  Confidence:Highest

jdeparser-2.0.0.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\jdeparser\jdeparser\2.0.0.Final\jdeparser-2.0.0.Final.jar
MD5: 733a7f2c207b3f18bef02c64383c7026
SHA1: 71ec53d2ad72d6cb4e89653d66f65b3f8170870d
SHA256:eb19e6937115c08e00863ecaa5b40e77eff7fe8d86e9cc4a112247098f3cf598
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.jdeparser:jdeparser:2.0.0.Final  Confidence:Highest

artemis-native-1.4.0.jar

Description:

 The Apache Software Foundation provides support for the Apache community of open-source software projects.    The Apache projects are characterized by a collaborative, consensus based development process, an open and    pragmatic software license, and a desire to create high quality software that leads the way in its field.    We consider ourselves not simply a group of projects sharing a server, but rather a community of developers    and users.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-native\1.4.0\artemis-native-1.4.0.jar
MD5: 1d22aedae14829422680e60687cf6e7f
SHA1: c4b6c598938ffc8b19a85264d24a6f7410161ec8
SHA256:a50e1398504dee37bc5587ee1d84797b8dc8f9f037bead98811ff64d0f6cb710
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-1999-0070  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

test-cgi program allows an attacker to list files on the server.

Vulnerable Software & Versions: (show all)

CVE-1999-0236  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs.

Vulnerable Software & Versions: (show all)

CVE-1999-0289  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL.

Vulnerable Software & Versions:

CVE-1999-0678  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server.

Vulnerable Software & Versions:

CVE-1999-1237  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Multiple buffer overflows in smbvalid/smbval SMB authentication library, as used in Apache::AuthenSmb and possibly other modules, allows remote attackers to execute arbitrary commands via (1) a long username, (2) a long password, and (3) other unspecified methods.

Vulnerable Software & Versions:

CVE-1999-1412  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes.

Vulnerable Software & Versions:

CVE-2001-0131  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:N/I:P/A:N)

htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack.

Vulnerable Software & Versions: (show all)

CVE-2001-1556  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The log files in Apache web server contain information directly supplied by clients and does not filter or quote control characters, which could allow remote attackers to hide HTTP requests and spoof source IP addresses when logs are viewed with UNIX programs such as cat, tail, and grep.

Vulnerable Software & Versions:

CVE-2003-0020  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.

Vulnerable Software & Versions:

CVE-2003-0789  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

mod_cgid in Apache before 2.0.48, when using a threaded MPM, does not properly handle CGI redirect paths, which could cause Apache to send the output of a CGI program to the wrong client.

Vulnerable Software & Versions:

CVE-2004-0174  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."

Vulnerable Software & Versions:

CVE-2004-0942  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Apache webserver 2.0.52 and earlier allows remote attackers to cause a denial of service (CPU consumption) via an HTTP GET request with a MIME header containing multiple lines with a large number of space characters.

Vulnerable Software & Versions:

CVE-2004-2343  

Severity:High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

** DISPUTED ** Apache HTTP Server 2.0.47 and earlier allows local users to bypass .htaccess file restrictions, as specified in httpd.conf with directives such as Deny From All, by using an ErrorDocument directive. NOTE: the vendor has disputed this issue, since the .htaccess mechanism is only intended to restrict external web access, and a local user already has the privileges to perform the same operations without using ErrorDocument.

Vulnerable Software & Versions:

CVE-2005-1268  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.

Vulnerable Software & Versions:

CVE-2007-0086  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

** DISPUTED **  The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment.  NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal.

Vulnerable Software & Versions:

CVE-2007-0450  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.

Vulnerable Software & Versions:

CVE-2007-1349  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI.

Vulnerable Software & Versions: (show all)

CVE-2007-4465  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset.  NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection.

Vulnerable Software & Versions: (show all)

CVE-2007-4723  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Directory traversal vulnerability in Ragnarok Online Control Panel 4.3.4a, when the Apache HTTP Server is used, allows remote attackers to bypass authentication via directory traversal sequences in a URI that ends with the name of a publicly available page, as demonstrated by a "/...../" sequence and an account_manage.php/login.php final component for reaching the protected account_manage.php page.

Vulnerable Software & Versions: (show all)

CVE-2007-5000  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2007-5156  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload.php in FCKeditor, as used in SiteX CMS 0.7.3.beta, La-Nai CMS, Syntax CMS, Cardinal Cms, and probably other products, allows remote attackers to upload and execute arbitrary PHP code via a file whose name contains ".php." and has an unknown extension, which is recognized as a .php file by the Apache HTTP server, a different vulnerability than CVE-2006-0658 and CVE-2006-2529.

Vulnerable Software & Versions: (show all)

CVE-2007-6388  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2007-6420  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers to gain privileges via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2007-6421  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) ss, (2) wr, or (3) rr parameters, or (4) the URL.

Vulnerable Software & Versions: (show all)

CVE-2007-6422  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The balancer_handler function in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6, when a threaded Multi-Processing Module is used, allows remote authenticated users to cause a denial of service (child process crash) via an invalid bb variable.

Vulnerable Software & Versions: (show all)

CVE-2007-6423  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors

** DISPUTED **  Unspecified vulnerability in mod_proxy_balancer for Apache HTTP Server 2.2.x before 2.2.7-dev, when running on Windows, allows remote attackers to trigger memory corruption via a long URL.  NOTE: the vendor could not reproduce this issue.

Vulnerable Software & Versions: (show all)

CVE-2007-6750  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15.

Vulnerable Software & Versions: (show all)

CVE-2008-0455  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.

Vulnerable Software & Versions: (show all)

CVE-2008-2168  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page.

Vulnerable Software & Versions: (show all)

CVE-2008-2579  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in the WebLogic Server Plugins for Apache, Sun and IIS web servers component in Oracle BEA Product Suite 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, and 6.1 SP7 has unknown impact and remote attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2008-2939  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.

Vulnerable Software & Versions: (show all)

CVE-2009-1195  

Severity:Medium
CVSS Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-16 Configuration

The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file.

Vulnerable Software & Versions: (show all)

CVE-2009-1890  

Severity:High
CVSS Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CWE: CWE-189 Numeric Errors

The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.

Vulnerable Software & Versions: (show all)

CVE-2009-1891  

Severity:High
CVSS Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors

The mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until completion even after the associated network connection is closed, which allows remote attackers to cause a denial of service (CPU consumption).

Vulnerable Software & Versions: (show all)

CVE-2009-1955  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.

Vulnerable Software & Versions: (show all)

CVE-2009-2699  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The Solaris pollset feature in the Event Port backend in poll/unix/port.c in the Apache Portable Runtime (APR) library before 1.3.9, as used in the Apache HTTP Server before 2.2.14 and other products, does not properly handle errors, which allows remote attackers to cause a denial of service (daemon hang) via unspecified HTTP requests, related to the prefork and event MPMs.

Vulnerable Software & Versions: (show all)

CVE-2009-3095  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11.

Vulnerable Software & Versions:

CVE-2009-3555  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-310 Cryptographic Issues

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Vulnerable Software & Versions: (show all)

CVE-2010-0408  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code.

Vulnerable Software & Versions: (show all)

CVE-2010-0425  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI .dll module, which allows remote attackers to execute arbitrary code via unspecified vectors related to a crafted request, a reset packet, and "orphaned callback pointers."

Vulnerable Software & Versions: (show all)

CVE-2010-0434  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request.

Vulnerable Software & Versions: (show all)

CVE-2010-1151  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Race condition in the mod_auth_shadow module for the Apache HTTP Server allows remote attackers to bypass authentication, and read and possibly modify data, via vectors related to improper interaction with an external helper application for validation of credentials.

Vulnerable Software & Versions:

CVE-2010-1452  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path.

Vulnerable Software & Versions: (show all)

CVE-2011-0419  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.

Vulnerable Software & Versions: (show all)

CVE-2011-1752  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.17, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request for a baselined WebDAV resource, as exploited in the wild in May 2011.

Vulnerable Software & Versions: (show all)

CVE-2011-1783  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is enabled, allows remote attackers to cause a denial of service (infinite loop and memory consumption) in opportunistic circumstances by requesting data.

Vulnerable Software & Versions: (show all)

CVE-2011-3348  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request.

Vulnerable Software & Versions: (show all)

CVE-2012-0031  

Severity:Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-399 Resource Management Errors

scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function.

Vulnerable Software & Versions: (show all)

CVE-2012-0883  

Severity:Medium
CVSS Score: 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl.

Vulnerable Software & Versions: (show all)

CVE-2013-1896  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.

Vulnerable Software & Versions: (show all)

CVE-2013-2249  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-6438  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.

Vulnerable Software & Versions: (show all)

CVE-2014-0098  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.

Vulnerable Software & Versions: (show all)

CVE-2014-0118  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size.

Vulnerable Software & Versions: (show all)

CVE-2014-0226  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.

Vulnerable Software & Versions: (show all)

CVE-2014-0231  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.

Vulnerable Software & Versions: (show all)

CVE-2014-3581  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.

Vulnerable Software & Versions: (show all)

CVE-2015-0228  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function.

Vulnerable Software & Versions:

CVE-2015-3183  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-17

The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.

Vulnerable Software & Versions:

CVE-2016-5387  

Severity:Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.  NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.

Vulnerable Software & Versions: (show all)

CVE-2016-8612  

Severity:Low
CVSS Score: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Apache HTTP Server mod_cluster before version httpd 2.4.23 is vulnerable to an Improper Input Validation in the protocol parsing logic in the load balancer resulting in a Segmentation Fault in the serving httpd process.

Vulnerable Software & Versions: (show all)

CVE-2017-9788  

Severity:Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-200 Information Exposure

In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service.

Vulnerable Software & Versions: (show all)

CVE-2017-9798  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-416 Use After Free

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Vulnerable Software & Versions: (show all)

CVE-2018-1301  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.

Vulnerable Software & Versions:

CVE-2018-1302  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-476 NULL Pointer Dereference

When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.

Vulnerable Software & Versions:

CVE-2018-1303  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-125 Out-of-bounds Read

A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.

Vulnerable Software & Versions:

artemis-jdbc-store-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-jdbc-store\1.4.0\artemis-jdbc-store-1.4.0.jar
MD5: 2fae67dbe1c3d13fe7e301e393de3826
SHA1: 24d4b5f5ed623608fc740c536dcdf16bb692918b
SHA256:c216fda24275440225852bc72068484590b1f1e194a0c1bc73a95e8db03c3589
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-jdbc-store:1.4.0  Confidence:Highest

artemis-website-1.4.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-website\1.4.0\artemis-website-1.4.0.jar
MD5: 85ecf0acc841033751ab8cd305f0bbbc
SHA1: b6531f20a851e1e231c00c257cca10639da208dd
SHA256:22a6042b86ff7b7927b7e8303d7405d96b8e3d4c061cf23b27b0effdd3cf28c9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.activemq:artemis-website:1.4.0  Confidence:Highest

jboss-logmanager-2.0.3.Final.jar

Description:

 An implementation of java.util.logging.LogManager

License:

Apache License Version 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\logmanager\jboss-logmanager\2.0.3.Final\jboss-logmanager-2.0.3.Final.jar
MD5: 05865e429caaecad906a11986294e52e
SHA1: 0d2c746f4d4e237339bda5dbf6914b27190c4347
SHA256:119f07f791768432ee0ae3dbada3063481eca1924c217d47290fe5c8cbbea579
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.logmanager:jboss-logmanager:2.0.3.Final  Confidence:Highest

airline-0.7.jar

Description:

 Java annotation-based framework for parsing Git like command line structures

File Path: C:\Users\Queue\.m2\repository\io\airlift\airline\0.7\airline-0.7.jar
MD5: 74da3d8dd81d16835097bcc094227430
SHA1: 16edc11b7d2d09e2db512f8028f05b9c48532229
SHA256:2ebe3cc06cadee9273a9bdaff6b582e07c201c0bb44881760eed49861374756d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: io.airlift:airline:0.7  Confidence:Highest

javax.inject-1.jar

Description:

 The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\javax\inject\javax.inject\1\javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
SHA256:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: javax.inject:javax.inject:1  Confidence:Highest

annotations-2.0.3.jar

Description:

 Annotation supports the FindBugs tool

License:

GNU Lesser Public License: http://www.gnu.org/licenses/lgpl.html
File Path: C:\Users\Queue\.m2\repository\com\google\code\findbugs\annotations\2.0.3\annotations-2.0.3.jar
MD5: 276433efe0027762cffb7e4adc9262da
SHA1: 191383fa0deb88f393558eec231b206edc23aba0
SHA256:3ad1e8f838dbd6da3424a451d5d9262ea9c526eddb627b54b885cfd332efbc99
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.google.code.findbugs:annotations:2.0.3  Confidence:Highest

activemq-client-5.12.0.jar

Description:

 The ActiveMQ Client implementation

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\activemq-client\5.12.0\activemq-client-5.12.0.jar
MD5: 78d3ec919f95a26498eca206e5bee08e
SHA1: 6f27a6724365563e761fd7385046db0217717335
SHA256:d6033166f5a7764eba250d575ae80d3fe3bee99f53b34b4603174096acbba835
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2015-5182  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in the jolokia API in A-MQ.

Vulnerable Software & Versions:

CVE-2015-5183  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 7PK - Security Features

The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on cookies.

Vulnerable Software & Versions:

CVE-2015-5184  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 7PK - Security Features

The Hawtio console in A-MQ allows remote attackers to obtain sensitive information and perform other unspecified impact.

Vulnerable Software & Versions:

CVE-2015-5254  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.

Vulnerable Software & Versions: (show all)

CVE-2016-0734  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-254 7PK - Security Features

The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.

Vulnerable Software & Versions: (show all)

CVE-2016-0782  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and consequently obtain sensitive information from a Java memory dump via vectors related to creating a queue.

Vulnerable Software & Versions: (show all)

CVE-2016-3088  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

Vulnerable Software & Versions:

CVE-2016-6810  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation.

Vulnerable Software & Versions: (show all)

CVE-2018-11775  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-254 7PK - Security Features

TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

Vulnerable Software & Versions: (show all)

geronimo-jms_1.1_spec-1.1.1.jar

Description:

 Provides open-source implementations of Sun specifications.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\geronimo\specs\geronimo-jms_1.1_spec\1.1.1\geronimo-jms_1.1_spec-1.1.1.jar
MD5: d80ce71285696d36c1add1989b94f084
SHA1: c872b46c601d8dc03633288b81269f9e42762cea
SHA256:18d9ff7b9066aa99cf89843f5055d2fe58b1abe4346ee9df0daf4ac18ca232d7
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1  Confidence:Highest

hawtbuf-1.11.jar

Description:

 HawtBuf: a rich byte buffer library

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\fusesource\hawtbuf\hawtbuf\1.11\hawtbuf-1.11.jar
MD5: a80061bd945ca0f13072861777ff27b1
SHA1: 8f0e50ad8bea37b84b698ec40cce09e47714a63e
SHA256:c6b45db967f3b2b3e28fd2f0724b1730a89d3f5aa9eef3664de29caba219593e
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.fusesource.hawtbuf:hawtbuf:1.11  Confidence:Highest

geronimo-j2ee-management_1.1_spec-1.0.1.jar

Description:

 Provides open-source implementations of Sun specifications.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\geronimo\specs\geronimo-j2ee-management_1.1_spec\1.0.1\geronimo-j2ee-management_1.1_spec-1.0.1.jar
MD5: 7e1708a3b808e9749b5789668fd9ca8b
SHA1: 5372615b0c04c1913c95c34a0414cef720ca2855
SHA256:7ad780c72a92039bc07cbc09b6ee8d06571a1fbd92d4361a19a433d783b6e221
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.geronimo.specs:geronimo-j2ee-management_1.1_spec:1.0.1  Confidence:Highest

jetty-jmx-9.3.10.v20160621.jar

Description:

 JMX management artifact for jetty.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\jetty-jmx\9.3.10.v20160621\jetty-jmx-9.3.10.v20160621.jar
MD5: 42134e822e85f780458e39f9925b8100
SHA1: 24272ad2c7be1aa2a73d0f63e3b5d56ef49cbfcf
SHA256:7a16af998b938aeb2565828e50abdec2407eec3b2c69816eb43fb2542e52397d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.10  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.3.10.v20160621  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-jmx:9.3.10.v20160621  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

javax.annotation-api-1.2.jar

Description:

 Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: C:\Users\Queue\.m2\repository\javax\annotation\javax.annotation-api\1.2\javax.annotation-api-1.2.jar
MD5: 75fe320d2b3763bd6883ae1ede35e987
SHA1: 479c1e06db31c432330183f5cae684163f186146
SHA256:5909b396ca3a2be10d0eea32c74ef78d816e1b4ead21de1d78de1f890d033e04
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: javax.annotation:javax.annotation-api:1.2  Confidence:Highest

asm-5.0.1.jar

File Path: C:\Users\Queue\.m2\repository\org\ow2\asm\asm\5.0.1\asm-5.0.1.jar
MD5: d6fa9169eb883ac82effd333eaffd4fc
SHA1: 2fd56467a018aafe6ec6a73ccba520be4a7e1565
SHA256:56057490cbc1eeae6227e6eb5c6d5b324b77429b8a78d15027c77d491ef9c675
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.ow2.asm:asm:5.0.1  Confidence:Highest

asm-commons-5.0.1.jar

File Path: C:\Users\Queue\.m2\repository\org\ow2\asm\asm-commons\5.0.1\asm-commons-5.0.1.jar
MD5: 6b6ec238db815d6041bd1cea62eacc06
SHA1: 7b7147a390a93a14d2edfdcf3f7b0e87a0939c3e
SHA256:fb1cb7fa27d892712ced8fbf8d027eb5052ecd3999dba1ba47824357accb40e7
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.ow2.asm:asm-commons:5.0.1  Confidence:Highest

javax.security.auth.message-1.0.0.v201108011116.jar

Description:

 
    This artifact originates from the Orbit Project at Eclipse, 
    it is an osgi bundle and is signed as well.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\orbit\javax.security.auth.message\1.0.0.v201108011116\javax.security.auth.message-1.0.0.v201108011116.jar
MD5: 4d19b63b9722a19e19f5d374b3cec353
SHA1: 864ac89e01622b020fa2104bfda379692146b3b6
SHA256:c98c8c84b47d4f4f8acb8efb20e40188110b31607b845d4574dd00a08fe72313
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.eclipse.jetty.orbit:javax.security.auth.message:1.0.0.v201108011116  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:1.0.0.v20110801  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:1.0.0.v20110801  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

javax.transaction-api-1.2.jar

Description:

 Project GlassFish Java Transaction API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: C:\Users\Queue\.m2\repository\javax\transaction\javax.transaction-api\1.2\javax.transaction-api-1.2.jar
MD5: 2dfee184286530e726ad155816e15b4c
SHA1: d81aff979d603edd90dcd8db2abc1f4ce6479e3e
SHA256:9528449583c34d9d63aa1d8d15069790f925ae1f27b33784773b8099eff4c9ff
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: javax.transaction:javax.transaction-api:1.2  Confidence:Highest

websocket-api-9.3.10.v20160621.jar

Description:

 Jetty module for Jetty :: Websocket :: API

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\websocket\websocket-api\9.3.10.v20160621\websocket-api-9.3.10.v20160621.jar
MD5: dadc47c43382b1885e2152d50399c328
SHA1: 36d96ae6ea05cb7a450994b8dcbe217228cd4e68
SHA256:cbe62c8381dace44d98a453961423aaf73f364834eda841d3498a99f20d0707f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.eclipse.jetty.websocket:websocket-api:9.3.10.v20160621  Confidence:Highest

javax-websocket-server-impl-9.3.10.v20160621.jar

Description:

 javax.websocket.server Implementation

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\websocket\javax-websocket-server-impl\9.3.10.v20160621\javax-websocket-server-impl-9.3.10.v20160621.jar
MD5: 29eec0380c0b92f7d92374cd62144145
SHA1: 4939086c98ed3906b403bfb747be72ff64f1fa58
SHA256:deff9abe3d15452f2fff3ab99830aca32d39284b1ee17402f633fa94f1e2888f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.10  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.3.10.v20160621  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:javax-websocket-server-impl:9.3.10.v20160621  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

websocket-server-9.3.10.v20160621.jar

Description:

 Jetty module for Jetty :: Websocket :: Server

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\websocket\websocket-server\9.3.10.v20160621\websocket-server-9.3.10.v20160621.jar
MD5: 342bb3b7142eb0cff0ccc13acdd8017c
SHA1: ad7e1e6a5f3eb52672e98afb34da01d223785faa
SHA256:29988d0594d6c13389d81823aa336ebaad556e9c2bd1c01bd29d0d857098aebf
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.10  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:websocket-server:9.3.10.v20160621  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.3.10.v20160621  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

http2-server-9.3.10.v20160621.jar

Description:

 Jetty module for Jetty :: HTTP2 :: Server

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\http2\http2-server\9.3.10.v20160621\http2-server-9.3.10.v20160621.jar
MD5: 95921bd578c04d41045e6b408a44c942
SHA1: 7bbdfba9cd6ab2223a328290da4ad42a1e8ddef0
SHA256:1e5a691078baf90832624e0c2e5b0fe94452ddd702c701e1e5cf0f932e6324fd
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:jetty:jetty_http_server:9.3.10.v20160621  Confidence:Low  
  • maven: org.eclipse.jetty.http2:http2-server:9.3.10.v20160621  Confidence:Highest

http2-common-9.3.10.v20160621.jar

Description:

 Jetty module for Jetty :: HTTP2 :: Common

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\http2\http2-common\9.3.10.v20160621\http2-common-9.3.10.v20160621.jar
MD5: 86afff01820e3e29a068235a027f1a02
SHA1: 7da67b7beebb532100810e118112d4d033572b71
SHA256:4e6e8cbaa9d39c1aba9d8c8a45f97256c68a1553af50957e2362ad309800f471
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.10  Confidence:Low  
  • maven: org.eclipse.jetty.http2:http2-common:9.3.10.v20160621  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.3.10.v20160621  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

http2-hpack-9.3.10.v20160621.jar

Description:

 Jetty module for Jetty :: HTTP2 :: HPACK

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\http2\http2-hpack\9.3.10.v20160621\http2-hpack-9.3.10.v20160621.jar
MD5: d4159b2d91674a1aff6bb6ff2b9e9beb
SHA1: 1a34b4326f8a1fa453d82a19a8ecc17a8d6a04f5
SHA256:f372143dc1bd0ab898f523c1d5e084669568560a2a7775a0c20f5dd18cb9144f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:eclipse:jetty:9.3.10  Confidence:Low  
  • maven: org.eclipse.jetty.http2:http2-hpack:9.3.10.v20160621  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

javax.websocket-api-1.0.jar

Description:

 JSR 356: Java API for WebSocket

License:

https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\javax\websocket\javax.websocket-api\1.0\javax.websocket-api-1.0.jar
MD5: 510563ac69503be2d6cbb6d492a8027b
SHA1: fc843b649d4a1dcb0497669d262befa3918c7ba8
SHA256:dd93009fb5aa3798bcd9ab0492a292ddae0f0b1ed2e45a75867a9925c90e747a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: javax.websocket:javax.websocket-api:1.0  Confidence:Highest

javax.mail.glassfish-1.4.1.v201005082020.jar

Description:

 
    This artifact originates from the Orbit Project at Eclipse, 
    it is an osgi bundle and is signed as well.
  

File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\orbit\javax.mail.glassfish\1.4.1.v201005082020\javax.mail.glassfish-1.4.1.v201005082020.jar
MD5: 4338c1dd7b00b31633ca1067d0685255
SHA1: b707c39fc080529c4a9ffc1df4eac58421133aaf
SHA256:5de5893eb05ebfc397884f5357c274876ea6d05adbc3de7db5d4e4355a23d652
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:eclipse:jetty:1.4.1.v20100508  Confidence:Low  
  • maven: org.eclipse.jetty.orbit:javax.mail.glassfish:1.4.1.v201005082020  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:1.4.1.v20100508  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

javax.activation-1.1.0.v201105071233.jar

Description:

 
    This artifact originates from the Orbit Project at Eclipse, 
    it is an osgi bundle and is signed as well.
  

File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\orbit\javax.activation\1.1.0.v201105071233\javax.activation-1.1.0.v201105071233.jar
MD5: 1402e9e48aa8bd79196b9a509be492ea
SHA1: b394a9fbf664ca835452b3ced452710bcf79fd81
SHA256:5e18b1f0ec47d980f199eb7ee40acdc068c96f754f75040c0f129fcfa7724f06
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:eclipse:jetty:1.1.0.v20110507  Confidence:Low  
  • maven: org.eclipse.jetty.orbit:javax.activation:1.1.0.v201105071233  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:1.1.0.v20110507  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

tomcat-servlet-api-8.0.23.jar

Description:

 javax.servlet package

License:

        Apache License, Version 2.0 and
        Common Development And Distribution License (CDDL) Version 1.0
      : 
        http://www.apache.org/licenses/LICENSE-2.0.txt and
        http://www.opensource.org/licenses/cddl1.txt
      
File Path: C:\Users\Queue\.m2\repository\org\apache\tomcat\tomcat-servlet-api\8.0.23\tomcat-servlet-api-8.0.23.jar
MD5: f57ce82729c4f2c1feb333715a0b8d2c
SHA1: fe715e33b2a6ddf2d77970fe280235d228132953
SHA256:7b505b39b8df8832a36421ef3f31937776673401dfd34e7357f8387332df03f9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.tomcat:tomcat-servlet-api:8.0.23  Confidence:Highest

commons-beanutils-1.9.2.jar

Description:

 Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-beanutils\commons-beanutils\1.9.2\commons-beanutils-1.9.2.jar
MD5: 9f298a2d65e68184f9ebaa938bc12106
SHA1: 7a87d845ad3a155297e8f67d9008f4c1e5656b71
SHA256:23729e3a2677ed5fb164ec999ba3fcdde3f8460e5ed086b6a43d8b5d46998d42
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-beanutils:commons-beanutils:1.9.2  Confidence:Highest
  • cpe: cpe:/a:apache:commons_beanutils:1.9.2  Confidence:Low  

commons-logging-1.2.jar

Description:

 Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-logging:commons-logging:1.2  Confidence:Highest

netty-transport-5.0.0.Alpha2.jar

Description:

 Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\io\netty\netty-transport\5.0.0.Alpha2\netty-transport-5.0.0.Alpha2.jar
MD5: 1e57d11a0977140c1016de8d73786757
SHA1: 340af2e29f04c00a4bc54e9be3f058f2abb51c87
SHA256:66a5cf4eb21d87b3dd5028e5fb776760630707ed712fa34e74ac7e8f58f2cbed
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:netty_project:netty:5.0.0  Confidence:Low  
  • maven: io.netty:netty-transport:5.0.0.Alpha2  Confidence:Highest

geronimo-json_1.0_spec-1.0-alpha-1.jar

Description:

 Apache Geronimo implementation of the JSR-353

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\geronimo\specs\geronimo-json_1.0_spec\1.0-alpha-1\geronimo-json_1.0_spec-1.0-alpha-1.jar
MD5: 6371c7802b604ae344851eb9656616b7
SHA1: 7e73447b974a7c3a4792fba671499a6da263105f
SHA256:9ad66832295ebfb21e168f29e9411924e13e233ee2ddc61b9a9b09a3f18dc183
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.geronimo.specs:geronimo-json_1.0_spec:1.0-alpha-1  Confidence:Highest

johnzon-core-0.9.4.jar

Description:

 Apache Johnzon is an implementation of JSR-353 (JavaTM API for JSON Processing).

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\johnzon\johnzon-core\0.9.4\johnzon-core-0.9.4.jar
MD5: dbf431672d6454c9e43e7e79903d7d8c
SHA1: 481637e772b33b817493948f62f692e1bfc936a2
SHA256:d93d1ac10567178c679562980346d4ef416ffa3e7cdd7a4de9d65a0221a09f49
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.johnzon:johnzon-core:0.9.4  Confidence:Highest

nifi-api-1.8.0.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\nifi\nifi-api\1.8.0\nifi-api-1.8.0.jar
MD5: f90bcf18c40b9a190c19c63f9be60eea
SHA1: 5aaaf4ae5f95af2293d9128ca5207973e1b11e99
SHA256:fc23ead59304da889c34834242a7f243c2723311b41188fbe67ee1ad136b4946
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.apache.nifi:nifi-api:1.8.0  Confidence:Highest
  • cpe: cpe:/a:apache:nifi:1.8.0  Confidence:Low  

red5-server-1.0.9-RELEASE.jar

Description:

 The Red5 server

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\red5\red5-server\1.0.9-RELEASE\red5-server-1.0.9-RELEASE.jar
MD5: 226efb104905982591b5e6f23e6009f5
SHA1: b121977e74430da9c9b53cf9c236b11d73df8a61
SHA256:240ab3c337cecef6e5b6795a3650c9c2b4f1f72723e514067f82e3e63273d8c4
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.red5:red5-server:1.0.9-RELEASE  Confidence:Highest

jcl-over-slf4j-1.7.25.jar

Description:

 JCL 1.2 implemented over SLF4J

File Path: C:\Users\Queue\.m2\repository\org\slf4j\jcl-over-slf4j\1.7.25\jcl-over-slf4j-1.7.25.jar
MD5: 56b22adc639b09b2e917f42d68b26600
SHA1: f8c32b13ff142a513eeb5b6330b1588dcb2c0461
SHA256:5e938457e79efcbfb3ab64bc29c43ec6c3b95fffcda3c155f4a86cc320c11e14
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.slf4j:jcl-over-slf4j:1.7.25  Confidence:Highest
  • cpe: cpe:/a:slf4j:slf4j:1.7.25  Confidence:Low  

jul-to-slf4j-1.7.25.jar

Description:

 JUL to SLF4J bridge

File Path: C:\Users\Queue\.m2\repository\org\slf4j\jul-to-slf4j\1.7.25\jul-to-slf4j-1.7.25.jar
MD5: ab28124cb05fec600f2ffe37b94629e0
SHA1: 0af5364cd6679bfffb114f0dec8a157aaa283b76
SHA256:416c5a0c145ad19526e108d44b6bf77b75412d47982cce6ce8d43abdbdbb0fac
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.slf4j:jul-to-slf4j:1.7.25  Confidence:Highest
  • cpe: cpe:/a:slf4j:slf4j:1.7.25  Confidence:Low  

log4j-over-slf4j-1.7.25.jar

Description:

 Log4j implemented over SLF4J

License:

Apache Software Licenses: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\slf4j\log4j-over-slf4j\1.7.25\log4j-over-slf4j-1.7.25.jar
MD5: fb818c7981d842875905587a61f2b942
SHA1: a87bb47468f47ee7aabbd54f93e133d4215769c3
SHA256:c84c5ce4bbb661369ccd4c7b99682027598a0fb2e3d63a84259dbe5c0bf1f949
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.slf4j:log4j-over-slf4j:1.7.25  Confidence:Highest
  • cpe: cpe:/a:slf4j:slf4j:1.7.25  Confidence:Low  

logback-core-1.2.3.jar

Description:

 logback-core module

License:

http://www.eclipse.org/legal/epl-v10.html, http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
File Path: C:\Users\Queue\.m2\repository\ch\qos\logback\logback-core\1.2.3\logback-core-1.2.3.jar
MD5: 841fc80c6edff60d947a3872a2db4d45
SHA1: 864344400c3d4d92dfeb0a305dc87d953677c03c
SHA256:5946d837fe6f960c02a53eda7a6926ecc3c758bbdd69aa453ee429f858217f22
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:logback:logback:1.2.3  Confidence:Low  
  • maven: ch.qos.logback:logback-core:1.2.3  Confidence:Highest

spring-core-4.3.8.RELEASE.jar

Description:

 Spring Core

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\org\springframework\spring-core\4.3.8.RELEASE\spring-core-4.3.8.RELEASE.jar
MD5: 6cfb77086005e125dff38f180c90f093
SHA1: cce6c251249e48f0a86aa578c2a0e262efa5a1e0
SHA256:46e402b2b15b357c12bcba6807e93edcd5404feb4960ce466f2c1c3d4d38ee2b
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:pivotal:spring_framework:4.3.8  Confidence:Low  
  • cpe: cpe:/a:pivotal_software:spring_framework:4.3.8  Confidence:Highest  
  • maven: org.springframework:spring-core:4.3.8.RELEASE  Confidence:Highest

CVE-2018-11039  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Vulnerable Software & Versions: (show all)

CVE-2018-11040  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Vulnerable Software & Versions: (show all)

CVE-2018-1199  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

Vulnerable Software & Versions: (show all)

CVE-2018-1257  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

CVE-2018-1275  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Vulnerable Software & Versions: (show all)

red5-server-common-1.0.9-RELEASE.jar

Description:

 Classes common for multiple red5 projects

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\red5\red5-server-common\1.0.9-RELEASE\red5-server-common-1.0.9-RELEASE.jar
MD5: fa266a829289fee4df842ce626646a49
SHA1: 1988b6dc69f026730c0afa8857c1034bd7a83b42
SHA256:fbaf853eae13ba29b9956d53a5c8752692a5a00cc8588642b169d099256ad204
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.red5:red5-server-common:1.0.9-RELEASE  Confidence:Highest

mina-core-2.0.16.jar

Description:

 Apache MINA is a network application framework which helps users develop high performance and highly scalable network applications easily.  It provides an abstract event-driven asynchronous API over various transports such as TCP/IP and UDP/IP via Java NIO.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\org\apache\mina\mina-core\2.0.16\mina-core-2.0.16.jar
MD5: fd86528fa9d9ba8fb8c37e3ac28fa45f
SHA1: f720f17643eaa7b0fec07c1d7f6272972c02bba4
SHA256:5d864fb422b9f7f6f8038e713daeb0782d6af7263fb5a339a8b5d61b5d3b692d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.mina:mina-core:2.0.16  Confidence:Highest

bcprov-jdk15on-1.56.jar

Description:

 The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: C:\Users\Queue\.m2\repository\org\bouncycastle\bcprov-jdk15on\1.56\bcprov-jdk15on-1.56.jar
MD5: 3c1bc7aaf3449308e34296546078d9f7
SHA1: a153c6f9744a3e9dd6feab5e210e1c9861362ec7
SHA256:963e1ee14f808ffb99897d848ddcdb28fa91ddda867eb18d303e82728f878349
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2017-13098  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."

Vulnerable Software & Versions: (show all)

CVE-2018-1000180  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

Vulnerable Software & Versions: (show all)

CVE-2018-1000613  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs version prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code.. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application.. This vulnerability appears to have been fixed in 1.60 and later.

Vulnerable Software & Versions: (show all)

red5-io-1.0.9-RELEASE.jar

Description:

 The Red5 I/O library

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\red5\red5-io\1.0.9-RELEASE\red5-io-1.0.9-RELEASE.jar
MD5: 30769f05abd2aee94fb839973f59b37c
SHA1: 0f5930ce0f325e1f61890892bc07d930562ecd8b
SHA256:9e374809c29993ac0500254d20b6e2b7b44e73e8470fd9f0d3fcc0fd0eb4c886
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.red5:red5-io:1.0.9-RELEASE  Confidence:Highest

tika-core-1.14.jar

Description:

 This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also
    includes the core facades for the Tika API.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\tika\tika-core\1.14\tika-core-1.14.jar
MD5: d86a1e930da97345b4130c03e8193f58
SHA1: afff8f1774994aa973ef90bc8d38ddf089b9d6d9
SHA256:6708c01d44378529afe509e19f0314bd65aa8d62c01ba577d1b6cdf7fcd5f3a7
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:tika:1.14  Confidence:Highest  
  • maven: org.apache.tika:tika-core:1.14  Confidence:Highest

CVE-2018-1335  

Severity:High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.

Vulnerable Software & Versions: (show all)

CVE-2018-1338  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.

Vulnerable Software & Versions: (show all)

CVE-2018-1339  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.

Vulnerable Software & Versions: (show all)

CVE-2018-8017  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger an infinite loop in the IptcAnpaParser.

Vulnerable Software & Versions: (show all)

jmatio-1.2.jar

Description:

 Matlab's MAT-file I/O API in JAVA. Supports Matlab 5 MAT-flie format reading and writing. Written in pure JAVA.

License:

BSD: http://www.linfo.org/bsdlicense.html
File Path: C:\Users\Queue\.m2\repository\org\tallison\jmatio\1.2\jmatio-1.2.jar
MD5: 237ce61a21ae9570ee5754fb5a54c57e
SHA1: 69d8f2f49c1503f9b15b0eb50b1905a734a025e2
SHA256:5dbcc1d2cda2ef85a4e780e3a082c3bfc17e2ade2ea0e5ffd27834a9f7668fc4
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.tallison:jmatio:1.2  Confidence:Highest

apache-mime4j-core-0.7.2.jar

Description:

 Java stream based MIME message parser

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\james\apache-mime4j-core\0.7.2\apache-mime4j-core-0.7.2.jar
MD5: 88f799546eca803c53eee01a4ce5edcd
SHA1: a81264fe0265ebe8fd1d8128aad06dc320de6eef
SHA256:4d7434c68f94b81a253c12f28e6bbb4d6239c361d6086a46e22e594bb43ac660
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.james:apache-mime4j-core:0.7.2  Confidence:Highest
  • cpe: cpe:/a:apache:james:0.7.2  Confidence:Low  

pdfbox-tools-2.0.3.jar

Description:

 
    The Apache PDFBox library is an open source Java tool for working with PDF documents. 
    This artefact contains commandline tools using Apache PDFBox.
  

File Path: C:\Users\Queue\.m2\repository\org\apache\pdfbox\pdfbox-tools\2.0.3\pdfbox-tools-2.0.3.jar
MD5: 5cb2d888358e6740d876e9a0ec6480f0
SHA1: f07038a406e2b4d7b4b21b306a16ebb04126fa2c
SHA256:cc5c5da822777babed23cf0de1e96f057548f5e2649b47d672ee27142d944590
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:pdfbox:2.0.3  Confidence:Low  
  • maven: org.apache.pdfbox:pdfbox-tools:2.0.3  Confidence:Highest

jempbox-1.8.12.jar

Description:

 
    The Apache JempBox library is an open source Java tool that implements Adobe's XMP(TM)
    specification. JempBox is a subproject of Apache PDFBox.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\pdfbox\jempbox\1.8.12\jempbox-1.8.12.jar
MD5: 8e65171dec17bf5939f539e60d2721c8
SHA1: 426450c573c19f6f2c751a7a52c11931b712c9f6
SHA256:6ef72ac07682eb7b6355024f535a7a45c8f289f6b11f531acfba225ad2503b52
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:pdfbox:1.8.12  Confidence:Low  
  • maven: org.apache.pdfbox:jempbox:1.8.12  Confidence:Highest

tagsoup-1.2.1.jar

Description:

 TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\ccil\cowan\tagsoup\tagsoup\1.2.1\tagsoup-1.2.1.jar
MD5: ae73a52cdcbec10cd61d9ef22fab5936
SHA1: 5584627487e984c03456266d3f8802eb85a9ce97
SHA256:ac97f7b4b1d8e9337edfa0e34044f8d0efe7223f6ad8f3a85d54cc1018ea2e04
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.ccil.cowan.tagsoup:tagsoup:1.2.1  Confidence:Highest

metadata-extractor-2.9.1.jar

Description:

 Java library for extracting EXIF, IPTC, XMP, ICC and other metadata from image files.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\drewnoakes\metadata-extractor\2.9.1\metadata-extractor-2.9.1.jar
MD5: 2ca081a3d5fc1bcfbb51cc11808a8b88
SHA1: 53fdf22be10c9d426ec63431c7342895bc642261
SHA256:4d7382568a5e5aac96c261d8fd67b030a533982ecac563e8ed4f327831f0b024
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.drewnoakes:metadata-extractor:2.9.1  Confidence:Highest
  • cpe: cpe:/a:id:id-software:2.9.1  Confidence:Low  

xmpcore-5.1.2.jar

Description:

 
    The XMP Library for Java is based on the C++ XMPCore library
    and the API is similar.
  

License:

The BSD License: http://www.adobe.com/devnet/xmp/library/eula-xmp-library-java.html
File Path: C:\Users\Queue\.m2\repository\com\adobe\xmp\xmpcore\5.1.2\xmpcore-5.1.2.jar
MD5: 0b2cf2a09d32abdedd17de864e93ad25
SHA1: 55615fa2582424e38705487d1d3969af8554f637
SHA256:0adcd63003aaff0a87b938f6accc2d890a2169c751a9b36881237f8546287090
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.adobe.xmp:xmpcore:5.1.2  Confidence:Highest

boilerpipe-1.1.0.jar

Description:

 The boilerpipe library provides algorithms to detect and remove the surplus "clutter" (boilerplate, templates) around the main textual content of a web page.

The library already provides specific strategies for common tasks (for example: news article extraction) and may also be easily extended for individual problem settings.

Extracting content is very fast (milliseconds), just needs the input document (no global or site-level information required) and is usually quite accurate.

Boilerpipe is a Java library written by Christian Kohlschütter. It is released under the Apache License 2.0.

The algorithms used by the library are based on (and extending) some concepts of the paper "Boilerplate Detection using Shallow Text Features" by Christian Kohlschütter et al., presented at WSDM 2010 -- The Third ACM International Conference on Web Search and Data Mining New York City, NY USA.
  

License:

Apache License 2.0
File Path: C:\Users\Queue\.m2\repository\de\l3s\boilerpipe\boilerpipe\1.1.0\boilerpipe-1.1.0.jar
MD5: 0616568083786d0f49e2cb07a5d09fe4
SHA1: f62cb75ed52455a9e68d1d05b84c500673340eb2
SHA256:088203df4326c4dcc42cec1253a2b41e03dc8904984eae744543b48e2cc63846
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: de.l3s.boilerpipe:boilerpipe:1.1.0  Confidence:Highest
  • cpe: cpe:/a:html-pages_project:html-pages:1.1.0  Confidence:Low  

rome-1.5.1.jar

Description:

 All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it
        easy to work in Java with most syndication formats. Today it accepts all flavors of RSS
        (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes
        a set of parsers and generators for the various flavors of feeds, as well as converters
        to convert from one format to another. The parsers can give you back Java objects that
        are either specific for the format you want to work with, or a generic normalized
        SyndFeed object that lets you work on with the data without bothering about the
        underlying format.
    

File Path: C:\Users\Queue\.m2\repository\com\rometools\rome\1.5.1\rome-1.5.1.jar
MD5: 07039d4b871513942d0495311947275f
SHA1: cc3489f066749bede7fc81f4e80c0d8c9534a210
SHA256:0f754b6886c3c97e1ca8ccd6c94de383a14908cd6f1e68b6ab951af016e8b23f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.rometools:rome:1.5.1  Confidence:Highest

rome-utils-1.5.1.jar

Description:

 Utility classes for ROME projects

File Path: C:\Users\Queue\.m2\repository\com\rometools\rome-utils\1.5.1\rome-utils-1.5.1.jar
MD5: ba0f0958cbbacd734b383038c3dcb0ef
SHA1: 3a3d6473a2f5d55fb31bf6c269af963fdea13b54
SHA256:8267802f2f959558a7974ea754c2d80d3e1c813d24045c066c539664d8422be2
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.rometools:rome-utils:1.5.1  Confidence:Highest

juniversalchardet-1.0.3.jar

Description:

 Java port of universalchardet

License:

Mozilla Public License 1.1 (MPL 1.1): http://www.mozilla.org/MPL/MPL-1.1.html
File Path: C:\Users\Queue\.m2\repository\com\googlecode\juniversalchardet\juniversalchardet\1.0.3\juniversalchardet-1.0.3.jar
MD5: d9ea0a9a275336c175b343f2e4cd8f27
SHA1: cd49678784c46aa8789c060538e0154013bb421b
SHA256:757bfe906193b8b651e79dc26cd67d6b55d0770a2cdfb0381591504f779d4a76
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.googlecode.juniversalchardet:juniversalchardet:1.0.3  Confidence:Highest

ehcache-core-2.6.11.jar

Description:

 This is the ehcache core module. Pair it with other modules for added functionality.

License:

The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt
File Path: C:\Users\Queue\.m2\repository\net\sf\ehcache\ehcache-core\2.6.11\ehcache-core-2.6.11.jar
MD5: 81840aace00ec514154d6dac91ba43e5
SHA1: fae7f84a5ffabe1b814e40190650c0ad5aeda5b1
SHA256:ffe3580aadb6e07f86e49e326f3402fe8dfbf3470eb2782d68507bd31d75af88
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: net.sf.ehcache:ehcache-core:2.6.11  Confidence:Highest

isoparser-1.9.27.jar

Description:

 A generic parser and writer for all ISO 14496 based files (MP4, Quicktime, DCF, PDCF, ...)
    

License:

Apache Software License - Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\mp4parser\isoparser\1.9.27\isoparser-1.9.27.jar
MD5: 0f6bf0029e512cea263c63c072e8e8f0
SHA1: d1f2459b0e66719f1e09b02e5cdb7cddd55baf9f
SHA256:634a165cc56b872aa227a6be8d555747054b5005828694bd94a1b7a4b7cb61d4
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.mp4parser:isoparser:1.9.27  Confidence:Highest
  • cpe: cpe:/a:boxes_project:boxes:1.9.27  Confidence:Low  

red5-service-1.0.9-RELEASE.jar

Description:

 The Red5 server service daemon

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\red5\red5-service\1.0.9-RELEASE\red5-service-1.0.9-RELEASE.jar
MD5: 0fb199375c8890ea4d3edce0911df01a
SHA1: 5b175d09cae4d66dd85754993b277f8b092ad99f
SHA256:483244cfa6c694c5f7feede3108fcba4116bec958f0830b94d842ce4f6bbec95
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.red5:red5-service:1.0.9-RELEASE  Confidence:Highest

commons-daemon-1.0.15.jar

Description:

 
     Apache Commons Daemon software provides an alternative invocation mechanism for unix-daemon-like Java code.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-daemon\commons-daemon\1.0.15\commons-daemon-1.0.15.jar
MD5: 631bfc43cf5f601d34f1f5ea16751061
SHA1: 275b3f1efc36c6a5c276440a96a489f4ff90fa8a
SHA256:61a8f2b067b3ae8b3684669509250faffedbcfabd50f055bbe60c3fd5f0eb01e
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-daemon:commons-daemon:1.0.15  Confidence:Highest
  • cpe: cpe:/a:apache:apache_commons_daemon:1.0.15  Confidence:Low  

mina-integration-beans-2.0.16.jar

Description:

 Apache MINA is a network application framework which helps users develop high performance and highly scalable network applications easily.  It provides an abstract event-driven asynchronous API over various transports such as TCP/IP and UDP/IP via Java NIO.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\org\apache\mina\mina-integration-beans\2.0.16\mina-integration-beans-2.0.16.jar
MD5: fb54998e33f6f411c566201d91407e13
SHA1: 47446b0070acf6f82fe99366a1424adf4f9b2d35
SHA256:4a31916661a61105dfb86fa4f6e5a3ab3c45151a99a64de8c1ac1d1bd574efa9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.mina:mina-integration-beans:2.0.16  Confidence:Highest

quartz-2.3.0.jar

Description:

 Enterprise Job Scheduler

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
Apache Software License, Version 2.0
File Path: C:\Users\Queue\.m2\repository\org\quartz-scheduler\quartz\2.3.0\quartz-2.3.0.jar
MD5: a9c2bcf5ed6b2c8b6ca315a545d01261
SHA1: a090397102a12f6241177c5d501835334bb7662a
SHA256:b73efc1eee7f44b59ba1f020ecb11848c0a988b712220f41df0698974c3a3531
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.quartz-scheduler:quartz:2.3.0  Confidence:Highest

c3p0-0.9.5.2.jar

Description:

 a JDBC Connection pooling / Statement caching library

License:

GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Eclipse Public License, Version 1.0: http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Queue\.m2\repository\com\mchange\c3p0\0.9.5.2\c3p0-0.9.5.2.jar
MD5: c4173b2a9ae53833045560fcc5f374b9
SHA1: 5f86cb6130bc6e8475615ed82d5b5e6fb226a86a
SHA256:a4cf6019521d1ad47862ab1e27b78e43aa8ea3fe96fcb303190fd2508ec09285
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.mchange:c3p0:0.9.5.2  Confidence:Highest

mchange-commons-java-0.2.11.jar

Description:

 mchange-commons-java

License:

GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
Eclipse Public License, Version 1.0: http://www.eclipse.org/org/documents/epl-v10.html
File Path: C:\Users\Queue\.m2\repository\com\mchange\mchange-commons-java\0.2.11\mchange-commons-java-0.2.11.jar
MD5: 28a61e7d649173f24ac8e5bd5bc3104b
SHA1: 2a6a6c1fe25f28f5a073171956ce6250813467ef
SHA256:b38f9c39fbd2dfdffb40e0fc5b68caab6ccc494e47fce214e5c4ab9e39689abb
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.mchange:mchange-commons-java:0.2.11  Confidence:Highest

HikariCP-java6-2.3.13.jar

Description:

 Ultimate JDBC Connection Pool

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\zaxxer\HikariCP-java6\2.3.13\HikariCP-java6-2.3.13.jar
MD5: 191a947b6a52cda4a44defe7b3d06049
SHA1: 376d13a7b2dc57379c550619fe02ecfe51e62465
SHA256:15ff85021790a1e92f5eb58eb436c8ad96d9484fb411256979a4431082bf75fe
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.zaxxer:HikariCP-java6:2.3.13  Confidence:Highest

javax.json-api-1.1.2.jar

Description:

 API module of JSR 374:Java API for Processing JSON

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: C:\Users\Queue\.m2\repository\javax\json\javax.json-api\1.1.2\javax.json-api-1.1.2.jar
MD5: a59d2f385dbd8f6561235dfa8d81a559
SHA1: b38c52a6e180359108bd5e35dbeec7d1be45c535
SHA256:228759defdf40d1cb94112c81e4ae505a4c7c26dc217723be4f7d48a5579703d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: javax.json:javax.json-api:1.1.2  Confidence:Highest

vdx-core-1.1.6.jar

Description:

 VDX Core utils

File Path: C:\Users\Queue\.m2\repository\org\projectodd\vdx\vdx-core\1.1.6\vdx-core-1.1.6.jar
MD5: c70bf1942e0effa588f97875d166b6e2
SHA1: f685489cc2abe5882eb139840589be2ab6e322b8
SHA256:f3d39ec8d90afabc2687cdf116ad5ba22efe8e0a7103fd560a137ad897905155
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.projectodd.vdx:vdx-core:1.1.6  Confidence:Highest

vdx-wildfly-1.1.6.jar

Description:

 VDX WildFly support

File Path: C:\Users\Queue\.m2\repository\org\projectodd\vdx\vdx-wildfly\1.1.6\vdx-wildfly-1.1.6.jar
MD5: 50874b3628f0c6ba64271ea3e7c154f7
SHA1: 2dac020b2e9b17f2d2ecba8d1b96f102624c07ab
SHA256:9a1691be89ef00d889f181e955dd9632c9edcaf82274bf525c1a1a5f057108bd
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:wildfly:wildfly:1.1.6  Confidence:Low  
  • maven: org.projectodd.vdx:vdx-wildfly:1.1.6  Confidence:Highest

undertow-core-2.0.13.Final.jar

Description:

 Undertow

License:

http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\io\undertow\undertow-core\2.0.13.Final\undertow-core-2.0.13.Final.jar
MD5: c56ad8231ca72263aed6eadea90e39e1
SHA1: 78cd1da0625d9929d6fa778223db1c5059c40848
SHA256:44995716dfc1a7c7ae1531aa94b50c995d269bba13b06b023546ebeff25ee72c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: io.undertow:undertow-core:2.0.13.Final  Confidence:Highest

cal10n-api-0.8.1.jar

Description:

 Compiler assisted localization library (CAL10N)

File Path: C:\Users\Queue\.m2\repository\ch\qos\cal10n\cal10n-api\0.8.1\cal10n-api-0.8.1.jar
MD5: a5e1938f597d3536baae45e06f7b82b2
SHA1: 496e5f330af47a811c497d637e03f1b8d8cdc2b0
SHA256:b7a110770766cd2742eba4ee894713b17e69262841f8aeea8b3d1a666fb7d260
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: ch.qos.cal10n:cal10n-api:0.8.1  Confidence:Highest

woodstox-core-5.0.3.jar

Description:

 
        Woodstox is a high-performance XML processor that
        implements Stax (JSR-173), SAX2 and Stax2 APIs
    

License:

The Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\fasterxml\woodstox\woodstox-core\5.0.3\woodstox-core-5.0.3.jar
MD5: 8b151bd3d262d9c07e0384b7cc6c4cd9
SHA1: 10aa199207fda142eff01cd61c69244877d71770
SHA256:a1c04b64fbfe20ae9f2c60a3bf1633fed6688ae31935b6bd4a457a1bbb2e82d4
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.fasterxml.woodstox:woodstox-core:5.0.3  Confidence:Highest

javax.json-1.1.2.jar

Description:

 Default provider for JSR 374:Java API for Processing JSON

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: C:\Users\Queue\.m2\repository\org\glassfish\javax.json\1.1.2\javax.json-1.1.2.jar
MD5: 09593edb57fd9bcf8ce58f9bd031e308
SHA1: a507518970d55e9de24665af06d70aae91b4aaa1
SHA256:3cf736d446cc66090a50c975d2e56bf18bcabd7b7bb8ff87d514fc0b17099c85
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.glassfish:javax.json:1.1.2  Confidence:Highest

stax2-api-3.1.4.jar

Description:

 tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
  

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: C:\Users\Queue\.m2\repository\org\codehaus\woodstox\stax2-api\3.1.4\stax2-api-3.1.4.jar
MD5: c08e89de601b0a78f941b2c29db565c3
SHA1: ac19014b1e6a7c08aad07fe114af792676b685b7
SHA256:86d7c0b775a7c9b454cc6ba61d40a8eb3b99cc129f832eb9b977a3755b4b338e
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.codehaus.woodstox:stax2-api:3.1.4  Confidence:Highest

jandex-2.0.5.Final.jar

Description:

 Parent POM for JBoss projects. Provides default project build configuration.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\jandex\2.0.5.Final\jandex-2.0.5.Final.jar
MD5: 8faa3033123cfc8470107d2ae4ebe76d
SHA1: 7060f67764565b9ee9d467e3ed0cb8a9c601b23a
SHA256:9112a9c33175b8c64b999ecf47b649fdf1cd6fa8262d0677895e976ed2891f0b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss:jandex:2.0.5.Final  Confidence:Highest

jboss-dmr-1.5.0.Final.jar

License:

GNU Lesser General Public License v2.1 only: http://repository.jboss.org/licenses/lgpl-2.1.txt
Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\jboss-dmr\1.5.0.Final\jboss-dmr-1.5.0.Final.jar
MD5: 597af8c7b37a672708d72655572268bc
SHA1: 99bff2167539a969f3d20d2633ad49d16322e39b
SHA256:cbbe302464ff99bc0656be2343958f3eb7a4ffc575e03bb7399fccbb327be6c5
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss:jboss-dmr:1.5.0.Final  Confidence:Highest

staxmapper-1.3.0.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\staxmapper\1.3.0.Final\staxmapper-1.3.0.Final.jar
MD5: 50a1b373e630786c967c917d00d4733e
SHA1: 61c6f36255b014db28dac8e399b6c9e40c93b1d6
SHA256:2376327e0d63f8c815589e830d7e384dd8903928dbaee8ecdfc873ebef6ff335
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss:staxmapper:1.3.0.Final  Confidence:Highest

jboss-interceptors-api_1.2_spec-1.0.1.Final.jar

Description:

 The Java(TM) EE  Interceptors 1.2 API classes from JSR 318.

License:

Common Development and Distribution License: http://repository.jboss.org/licenses/cddl.txt
GNU General Public License, Version 2 with the Classpath Exception: http://repository.jboss.org/licenses/gpl-2.0-ce.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\spec\javax\interceptor\jboss-interceptors-api_1.2_spec\1.0.1.Final\jboss-interceptors-api_1.2_spec-1.0.1.Final.jar
MD5: 20603cc0b95e5a896fd17fde277dbd57
SHA1: c8d2eba1110f989d706c363156a9448f576bb0be
SHA256:67992eb8f5b2e056b180fa67c2ba8c3adf736a67c6da3d4b91d948a0a97d3bba
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.spec.javax.interceptor:jboss-interceptors-api_1.2_spec:1.0.1.Final  Confidence:Highest

jboss-jacc-api_1.5_spec-1.0.2.Final.jar

Description:

 JSR-000115 Java(TM) Authorization Contract for Containers API

License:

Common Development and Distribution License: http://repository.jboss.org/licenses/cddl.txt
GNU General Public License, Version 2 with the Classpath Exception: http://repository.jboss.org/licenses/gpl-2.0-ce.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\spec\javax\security\jacc\jboss-jacc-api_1.5_spec\1.0.2.Final\jboss-jacc-api_1.5_spec-1.0.2.Final.jar
MD5: ea09f0c6ba3f8113f15897614133ba6f
SHA1: 8fa08aafdc4d9aa9cbf429aac1cbdede06b3f070
SHA256:37fdb37be8c731138d7d5f01eba2c25042f3fa455b09f13af908afe76e3e885c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.spec.javax.security.jacc:jboss-jacc-api_1.5_spec:1.0.2.Final  Confidence:Highest

jboss-jaspi-api_1.1_spec-1.0.2.Final.jar

Description:

 JSR-196: Java Authentication SPI for Containers 1.1 API

License:

Common Development And Distribution License 1.1: https://javaee.github.io/glassfish/LICENSE
GNU General Public License v2.0 only, with Classpath exception: http://openjdk.java.net/legal/gplv2+ce.html
File Path: C:\Users\Queue\.m2\repository\org\jboss\spec\javax\security\auth\message\jboss-jaspi-api_1.1_spec\1.0.2.Final\jboss-jaspi-api_1.1_spec-1.0.2.Final.jar
MD5: c7824c90485c9f7b7ff61d2ead269a69
SHA1: dca69506598dce01c31c81e650a57d6c093934ee
SHA256:15299adc215f098859b77265daec93c1e91d531e58b9469b7f922fae90386817
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.spec.javax.security.auth.message:jboss-jaspi-api_1.1_spec:1.0.2.Final  Confidence:Highest

jboss-classfilewriter-1.2.3.Final.jar

Description:

 A bytecode writer that creates .class files at runtime

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\classfilewriter\jboss-classfilewriter\1.2.3.Final\jboss-classfilewriter-1.2.3.Final.jar
MD5: f5e7b5a3b53aa9e2c42e50cbb58a7013
SHA1: d48cbe4bda284e1e93bb5b1f26d42e9a3a625990
SHA256:907d84ff8af1de9aede781e0192c8504923f746150e31fc15779cc759ec2b84d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.classfilewriter:jboss-classfilewriter:1.2.3.Final  Confidence:Highest

jboss-vfs-3.2.14.Final.jar

Description:

 A VFS library

License:

asl: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\jboss-vfs\3.2.14.Final\jboss-vfs-3.2.14.Final.jar
MD5: 71bca58b1b94bd03d7b18a75fe795c18
SHA1: 88fe7e18e3da1eabd64f6fdda9529e3dc00b15e9
SHA256:63576c856a5a0c7adc5f6db562ce6962921cbef49e30bbbad80b61c477b8ec12
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss:jboss-vfs:3.2.14.Final  Confidence:Highest

aesh-readline-1.10.jar

File Path: C:\Users\Queue\.m2\repository\org\aesh\aesh-readline\1.10\aesh-readline-1.10.jar
MD5: 167dfba63b38f5ae3ba99999c4d613d3
SHA1: 1f5da24fed4f4f05fe19ba14b0bd9611bd5772aa
SHA256:b42510aa0a2508f858c6c75d31aaec0dcc73ac8fdca2f7d4b2e4bf4de4bbfca6
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.aesh:aesh-readline:1.10  Confidence:Highest

aesh-extensions-1.6.jar

Description:

 Commands that may be used as part of a Æsh program

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\org\aesh\aesh-extensions\1.6\aesh-extensions-1.6.jar
MD5: 66d38942575e9c16ca951721defe5212
SHA1: 1e6dfdc89ceba813d3847d7e47d34ce50ceee3b9
SHA256:224e9ddb691becd11f5821c54408dd94f0fa1fb718da41fa3d4fb1b336db9431
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.aesh:aesh-extensions:1.6  Confidence:Highest

aesh-1.7.jar

Description:

 Æsh (Another Extendable SHell)

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\org\aesh\aesh\1.7\aesh-1.7.jar
MD5: fdb6e3666283648a20d82bd65575f39e
SHA1: 39d1fc7e9bd81d42368d54d88feeb368564140f3
SHA256:50e20e1810f1706e8798794e38d644961128ce426e9e28646f70f8815938159a
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.aesh:aesh:1.7  Confidence:Highest

jboss-invocation-1.5.1.Final.jar

Description:

 Invocation Application Programming Interface

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\invocation\jboss-invocation\1.5.1.Final\jboss-invocation-1.5.1.Final.jar
MD5: b9ecddaf54f952a2003278e2fb7f104c
SHA1: 2ae006f489a673f7c0e70b07c26621cb7782ee88
SHA256:da89206eae128f95a70e87d26ddf3e45282bc696fc537d12b38efe4268c663b8
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.invocation:jboss-invocation:1.5.1.Final  Confidence:Highest

jboss-logging-3.3.2.Final.jar

Description:

 The JBoss Logging Framework

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\logging\jboss-logging\3.3.2.Final\jboss-logging-3.3.2.Final.jar
MD5: c397132f958d7e8ac0d566b6723ca7ca
SHA1: 3789d00e859632e6c6206adc0c71625559e6e3b0
SHA256:cb914bfe888da7d9162e965ac8b0d6f28f2f32eca944a00fbbf6dd3cf1aacc13
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jboss.logging:jboss-logging:3.3.2.Final  Confidence:Highest

jul-to-slf4j-stub-1.0.1.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\logging\jul-to-slf4j-stub\1.0.1.Final\jul-to-slf4j-stub-1.0.1.Final.jar
MD5: ba879de98275bb09d3377d80c5dd0a83
SHA1: 4399b60dd598134860176c93f17b0acdfd3c8ad7
SHA256:a80e5c33b6791aad4e06898d5b541d46cf30242c0a3f7a7debc439b05f94929f
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.logging:jul-to-slf4j-stub:1.0.1.Final  Confidence:Highest
  • cpe: cpe:/a:slf4j:slf4j:1.0.1  Confidence:Low  

commons-logging-jboss-logging-1.0.0.Final.jar

Description:

 Apache Commons Logging to JBoss Logging implementation

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\logging\commons-logging-jboss-logging\1.0.0.Final\commons-logging-jboss-logging-1.0.0.Final.jar
MD5: 46328c16f47be35563b73425d456445a
SHA1: 27a4e823d661bde67ec103bba2baf33cddde6e75
SHA256:f12176263ea25f4e78bb4fa4b36d335a29738dde6a8123e1b6da89a655d150ff
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.logging:commons-logging-jboss-logging:1.0.0.Final  Confidence:Highest

log4j-jboss-logmanager-1.1.6.Final.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\logmanager\log4j-jboss-logmanager\1.1.6.Final\log4j-jboss-logmanager-1.1.6.Final.jar
MD5: 6546569711057324c0f41c7ed0bf953d
SHA1: 59dffc44179bbbf366268e8dbbf901423cd565ae
SHA256:dd4aebd31eda21ed6fa783c2f412cdf44d014d0c765b86b721b0ef9853b46a55
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.logmanager:log4j-jboss-logmanager:1.1.6.Final  Confidence:Highest

jboss-marshalling-2.0.6.Final.jar

Description:

 JBoss Marshalling API

File Path: C:\Users\Queue\.m2\repository\org\jboss\marshalling\jboss-marshalling\2.0.6.Final\jboss-marshalling-2.0.6.Final.jar
MD5: 693b24b734bf5b550537c52cfeb50048
SHA1: 6efb7c156db08c9c6cca237ce0bd7ca42e5511d0
SHA256:9c46848dbfbdaf5cb94c0989d6695167d6ee75faccfbe37998761c1af8b19bd9
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.marshalling:jboss-marshalling:2.0.6.Final  Confidence:Highest

jboss-marshalling-river-2.0.6.Final.jar

Description:

 JBoss Marshalling River Implementation

File Path: C:\Users\Queue\.m2\repository\org\jboss\marshalling\jboss-marshalling-river\2.0.6.Final\jboss-marshalling-river-2.0.6.Final.jar
MD5: ca4b17026710565cf2908a211186f3a1
SHA1: 4825b41c1255d56a7e2ecf38248d55200527c5c4
SHA256:90407dc8c199127bddf68c6627157b4ff104af02f1a9264b9e0f5967d1dcf432
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.marshalling:jboss-marshalling-river:2.0.6.Final  Confidence:Highest

jboss-modules-1.8.6.Final.jar

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
Indiana University Extreme! Lab Software License 1.1.1: http://www.bearcave.com/software/java/xml/xmlpull_license.html
File Path: C:\Users\Queue\.m2\repository\org\jboss\modules\jboss-modules\1.8.6.Final\jboss-modules-1.8.6.Final.jar
MD5: 2bd78369fcc490b9b28554e2696e8e28
SHA1: 78fab247226a5c3bd7a21043c82dc87145c7234c
SHA256:1b0a12a8f7f78c55214f65141eceec10d769730a8b538eff5cdc94dcea99330c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.modules:jboss-modules:1.8.6.Final  Confidence:Highest

jboss-msc-1.4.3.Final.jar

License:

GNU Lesser General Public License v2.1 only: http://repository.jboss.org/licenses/lgpl-2.1.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\msc\jboss-msc\1.4.3.Final\jboss-msc-1.4.3.Final.jar
MD5: 493f4be60526dc2b9e9a7b220bed7948
SHA1: 1108576f0c0364141bff024726ced84e10dc2d3a
SHA256:d4d0411e960fb21a3c6db38f8d5e31a2456213a64c1c4918a0ccffe4ee350905
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.msc:jboss-msc:1.4.3.Final  Confidence:Highest

jboss-remoting-5.0.8.Final.jar

Description:

 JBoss Remoting

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: C:\Users\Queue\.m2\repository\org\jboss\remoting\jboss-remoting\5.0.8.Final\jboss-remoting-5.0.8.Final.jar
MD5: c7177518bf4b1d17702606239c3b6855
SHA1: 76efeb9cd19abcff103f2119ab26357626e3d16c
SHA256:00919dc61e745e007ca6bbe56a057b5c05dad2b4ca3ce21bdc980e0bdcb85457
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.remoting:jboss-remoting:5.0.8.Final  Confidence:Highest

remoting-jmx-3.0.0.Final.jar

License:

GNU Lesser General Public License v2.1 or later: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: C:\Users\Queue\.m2\repository\org\jboss\remotingjmx\remoting-jmx\3.0.0.Final\remoting-jmx-3.0.0.Final.jar
MD5: f94abd3b2ed79ceecdd197b43be23766
SHA1: f17201e2092f0fc03c1b61b632f1344f51045ead
SHA256:244c8492baaa16dcf392324f5b00dd3ddf4162a3664f9952b8a46e09d7e9527b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.remotingjmx:remoting-jmx:3.0.0.Final  Confidence:Highest

slf4j-jboss-logmanager-1.0.3.GA.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\slf4j\slf4j-jboss-logmanager\1.0.3.GA\slf4j-jboss-logmanager-1.0.3.GA.jar
MD5: 66e36c7f3b36b3b8932e7bcbc38df374
SHA1: 1488ce0a2d0c1d2edaecce476279c23252047034
SHA256:f49e2d2cc2e1a3b2777aa874479ce4bf24f6a2b3bf60a639e4675a767f2d8b41
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:slf4j:slf4j:1.0.3  Confidence:Low  
  • maven: org.jboss.slf4j:slf4j-jboss-logmanager:1.0.3.GA  Confidence:Highest

jboss-stdio-1.0.2.GA.jar

File Path: C:\Users\Queue\.m2\repository\org\jboss\stdio\jboss-stdio\1.0.2.GA\jboss-stdio-1.0.2.GA.jar
MD5: 66b64b84e74f26ad07f3434cd55c1269
SHA1: 709a076a3c74bc93809138b691dbd0e90cbc67a7
SHA256:faaef15cd41f4ef8fd7d85bd4e414b909e48b8c95547476139dc855c2d108d0e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.stdio:jboss-stdio:1.0.2.GA  Confidence:Highest

jboss-threads-2.3.2.Final.jar

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\threads\jboss-threads\2.3.2.Final\jboss-threads-2.3.2.Final.jar
MD5: fde56cbf672e640a0b70c3c1869006ec
SHA1: 72123d97ace01dd48e7d096ed1908b0d70c2a7d5
SHA256:94bcb8221092315875c2d715e12b0a549aa03024bf3954ea2dd313fabe68d97c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.threads:jboss-threads:2.3.2.Final  Confidence:Highest

xnio-api-3.6.5.Final.jar

Description:

 The API JAR of the XNIO project

License:

http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\xnio\xnio-api\3.6.5.Final\xnio-api-3.6.5.Final.jar
MD5: 3a0dd2d05aac582b2d89a35ff0612b7d
SHA1: 28e8b81bbf9ed0005b3d849bd87f12089d43b332
SHA256:f0b00e2c93d2f7d09a02523745bab00bfa2b1c0d697ce21ee8dfab0ecdb8aeed
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.xnio:xnio-api:3.6.5.Final  Confidence:Highest

xnio-nio-3.6.5.Final.jar

Description:

 The NIO implementation of the XNIO project

License:

http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jboss\xnio\xnio-nio\3.6.5.Final\xnio-nio-3.6.5.Final.jar
MD5: ae09c494c00e1b3b7a019c118e19c7e6
SHA1: 7d73fde250a86f30aec162e55d4eb3fcbdeda9b0
SHA256:b19bbd8782ca745dbe09cc627f18a13058e2dfcc08f6f0e5c5680e7d1ba3c747
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss.xnio:xnio-nio:3.6.5.Final  Confidence:Highest

jansi-1.16.jar

Description:

 Jansi is a java library for generating and interpreting ANSI escape sequences.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\fusesource\jansi\jansi\1.16\jansi-1.16.jar
MD5: dcd0f8872d723085a680692ff353f5da
SHA1: b1aaf0028852164ab6b4057192ccd0ba7dedd3a5
SHA256:7f3523cc23afe8ecb14511d5bcbd0285af4311c64e450d74d407eeb22861a112
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.fusesource.jansi:jansi:1.16  Confidence:Highest

wildfly-common-1.4.0.Final.jar

Description:

 Parent POM for JBoss projects. Provides default project build configuration.

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\wildfly\common\wildfly-common\1.4.0.Final\wildfly-common-1.4.0.Final.jar
MD5: 95b653f8c2a991905c7add932b361968
SHA1: f5cf8710427cc347f407bb232b88cc2c95e2d38f
SHA256:5de1de2b61ff2be500ab2de94eadd51cbf52d3074f9909f9a5046ae587cd26e3
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.wildfly.common:wildfly-common:1.4.0.Final  Confidence:Highest
  • cpe: cpe:/a:wildfly:wildfly:1.4.0  Confidence:Low  

wildfly-config-gen-2.0.0.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\wildfly\galleon-plugins\wildfly-config-gen\2.0.0.Final\wildfly-config-gen-2.0.0.Final.jar
MD5: d6cf58fed2b519e39afbb206c46b03fd
SHA1: dd06d9f9fa0f4891262309ee435ffe313e170333
SHA256:3ac3b470c2a293b6ffa5f7d7aaa5630c422bb3d3c2491ecad41dc9bb9475a8fe
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:wildfly:wildfly:2.0.0  Confidence:Low  
  • maven: org.wildfly.galleon-plugins:wildfly-config-gen:2.0.0.Final  Confidence:Highest

wildfly-openssl-java-1.0.6.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\wildfly\openssl\wildfly-openssl-java\1.0.6.Final\wildfly-openssl-java-1.0.6.Final.jar
MD5: af809c06b5d9ad4f7f980e3c6fc662e8
SHA1: 90306c6b40b1382eb26b63fa7669bdc38b6bc592
SHA256:96e733f0b7acffc6a7f90496615d7ecba84e8651c41efd4a8255339901729969
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:wildfly:wildfly:1.0.6  Confidence:Low  
  • cpe: cpe:/a:openssl_project:openssl:1.0.6  Confidence:Low  
  • maven: org.wildfly.openssl:wildfly-openssl-java:1.0.6.Final  Confidence:Highest
  • cpe: cpe:/a:openssl:openssl:1.0.6  Confidence:Low  

CVE-1999-0428  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.

Vulnerable Software & Versions: (show all)

CVE-2007-5536  

Severity:Medium
CVSS Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)

Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to cause a denial of service via unspecified vectors.

Vulnerable Software & Versions:

CVE-2009-0590  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.

Vulnerable Software & Versions: (show all)

CVE-2013-0169  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Vulnerable Software & Versions: (show all)

CVE-2016-7055  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
CWE: CWE-320 Key Management Errors

There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.

Vulnerable Software & Versions: (show all)

CVE-2018-12433  

Severity:Low
CVSS Score: 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

** DISPUTED ** cryptlib through 3.4.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. NOTE: the vendor does not include side-channel attacks within its threat model.

Vulnerable Software & Versions: (show all)

CVE-2018-12437  

Severity:Low
CVSS Score: 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

Vulnerable Software & Versions: (show all)

CVE-2018-12438  

Severity:Low
CVSS Score: 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Elliptic Curve Cryptography library (aka sunec or libsunec) allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

Vulnerable Software & Versions: (show all)

org.eclipse.jgit-5.0.2.201807311906-r.jar

Description:

 
    Repository access and algorithms
  

File Path: C:\Users\Queue\.m2\repository\org\eclipse\jgit\org.eclipse.jgit\5.0.2.201807311906-r\org.eclipse.jgit-5.0.2.201807311906-r.jar
MD5: 1cf0cb6b89aa6cc22f200269eb3d13c9
SHA1: a81d7c8d153a8a744b6be1d9c6d698270beec1c0
SHA256:7665fa449e1a267f51f251f4e9db4fb8e2e349f6ef36bd8d2f5fb4c44d5bfd8b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.eclipse.jgit:org.eclipse.jgit:5.0.2.201807311906-r  Confidence:Highest

jsch-0.1.54.jar

Description:

 JSch is a pure Java implementation of SSH2

License:

Revised BSD: http://www.jcraft.com/jsch/LICENSE.txt
File Path: C:\Users\Queue\.m2\repository\com\jcraft\jsch\0.1.54\jsch-0.1.54.jar
MD5: 56a6c6fc5819e21c665355b39b9097d8
SHA1: da3584329a263616e277e15462b387addd1b208d
SHA256:92eb273a3316762478fdd4fe03a0ce1842c56f496c9c12fe1235db80450e1fdb
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:jcraft:jsch:0.1.54  Confidence:Low  
  • maven: com.jcraft:jsch:0.1.54  Confidence:Highest

jzlib-1.1.1.jar

Description:

 JZlib is a re-implementation of zlib in pure Java

License:

Revised BSD: http://www.jcraft.com/jzlib/LICENSE.txt
File Path: C:\Users\Queue\.m2\repository\com\jcraft\jzlib\1.1.1\jzlib-1.1.1.jar
MD5: 553b605c56ec6f508ab46ed026e21622
SHA1: a1551373315ffc2f96130a0e5704f74e151777ba
SHA256:5cb1e9f9cf0be011487545694ff0a178237c6bfcbb21c97865cdc52c60b9347a
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:jcraft:jzlib:1.1.1  Confidence:Low  
  • maven: com.jcraft:jzlib:1.1.1  Confidence:Highest

JavaEWAH-1.1.6.jar

Description:

 The bit array data structure is implemented in Java as the BitSet class. Unfortunately, this fails to scale without compression.
  JavaEWAH is a word-aligned compressed variant of the Java bitset class. It uses a 64-bit run-length encoding (RLE) compression scheme.
  The goal of word-aligned compression is not to achieve the best compression, but rather to improve query processing time. Hence, we try to save CPU cycles, maybe at the expense of storage. However, the EWAH scheme we implemented is always more efficient storage-wise than an uncompressed bitmap (implemented in Java as the BitSet class). Unlike some alternatives, javaewah does not rely on a patented scheme. 

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\googlecode\javaewah\JavaEWAH\1.1.6\JavaEWAH-1.1.6.jar
MD5: ad90237fa8e47defd9fdac73e68608fd
SHA1: 94ad16d728b374d65bd897625f3fbb3da223a2b6
SHA256:f78d44a1e3877f1ce748b4a85df5171e5e8e9a5c3c6f63bb9003db6f84cce952
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.googlecode.javaewah:JavaEWAH:1.1.6  Confidence:Highest

httpclient-4.5.2.jar

Description:

 
   Apache HttpComponents Client
  

File Path: C:\Users\Queue\.m2\repository\org\apache\httpcomponents\httpclient\4.5.2\httpclient-4.5.2.jar
MD5: e0a45df625cb96b69505e59bb25a0189
SHA1: 733db77aa8d9b2d68015189df76ab06304406e50
SHA256:0dffc621400d6c632f55787d996b8aeca36b30746a716e079a985f24d8074057
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:httpclient:4.5.2  Confidence:Low  
  • maven: org.apache.httpcomponents:httpclient:4.5.2  Confidence:Highest

httpcore-4.4.4.jar

Description:

 
   Apache HttpComponents Core (blocking I/O)
  

File Path: C:\Users\Queue\.m2\repository\org\apache\httpcomponents\httpcore\4.4.4\httpcore-4.4.4.jar
MD5: e7776f2b03a4c62d691a90d3c68c93c0
SHA1: b31526a230871fbe285fbcbe2813f9c0839ae9b0
SHA256:f7bc09dc8a7003822d109634ffd3845d579d12e725ae54673e323a7ce7f5e325
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.apache.httpcomponents:httpcore:4.4.4  Confidence:Highest

wildfly-core-security-6.0.2.Final.jar

File Path: C:\Users\Queue\.m2\repository\org\wildfly\core\wildfly-core-security\6.0.2.Final\wildfly-core-security-6.0.2.Final.jar
MD5: ef4d163300e9bc0f59b77ff5a283a835
SHA1: 4f66078812cb08f010cde4ab7ba4fbfb572064ed
SHA256:3ba712f402ebeb4d1a6be8b7920c05ac6b381c61ae9a63e04d5b77f5fda06be1
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:wildfly:wildfly:6.0.2  Confidence:Low  
  • maven: org.wildfly.core:wildfly-core-security:6.0.2.Final  Confidence:Highest

wildfly-elytron-1.6.0.Final.jar

Description:

 WildFly Security SPIs

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\wildfly\security\wildfly-elytron\1.6.0.Final\wildfly-elytron-1.6.0.Final.jar
MD5: 5e591f1c9e1c1b55fee26c7ff518de5d
SHA1: 8d11d7e04e0556db650bdae510108def36479e74
SHA256:f9f241e7944c248cb5c6ebb169c1bf6eeba7c7aaaf60a7e3d1e288f04dbfa488
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:wildfly:wildfly:1.6.0  Confidence:Low  
  • maven: org.wildfly.security:wildfly-elytron:1.6.0.Final  Confidence:Highest

undertow-server-1.2.3.Final.jar

Description:

 Integration project for integrating Elytron based HTTP authentication with Undertow.

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\wildfly\security\elytron-web\undertow-server\1.2.3.Final\undertow-server-1.2.3.Final.jar
MD5: 8201a36a12d05fa90990d51ea4455dd1
SHA1: 1e4eb8d1dd689149fe93c58ddc2f02a013ca049c
SHA256:a912f8c76e09952a04c18198de5d59f951266f720d1376f057f0e7f60819bbab
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.wildfly.security.elytron-web:undertow-server:1.2.3.Final  Confidence:Highest
  • cpe: cpe:/a:wildfly:wildfly:1.2.3  Confidence:Low  

wildfly-client-config-1.0.1.Final.jar

Description:

 Library for supporting WildFly common client configuration

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\wildfly\client\wildfly-client-config\1.0.1.Final\wildfly-client-config-1.0.1.Final.jar
MD5: 77f13d40c0fc70d05b48d43ac8ae2581
SHA1: 2a803b23c40a0de0f03a90d1fd3755747bc05f4b
SHA256:80a4e963ce94ebb043ecb0f2c0e77d327f23dc87d81350b863752eedfa2c3bb3
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:wildfly:wildfly:1.0.1  Confidence:Low  
  • maven: org.wildfly.client:wildfly-client-config:1.0.1.Final  Confidence:Highest

wildfly-discovery-client-1.1.1.Final.jar

License:

Apache License 2.0: http://repository.jboss.org/licenses/apache-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\wildfly\discovery\wildfly-discovery-client\1.1.1.Final\wildfly-discovery-client-1.1.1.Final.jar
MD5: 0c7b0f016fd48396393dc39747359480
SHA1: 4b241accf5b03010a3c34e899f2301fada801a46
SHA256:e241e9a83900f64776b78b2385514fb0083990b4d73ae6150216f91b1b04593f
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.wildfly.discovery:wildfly-discovery-client:1.1.1.Final  Confidence:Highest
  • cpe: cpe:/a:wildfly:wildfly:1.1.1  Confidence:Low  

xml-resolver-1.2.jar

Description:

 xml-commons provides an Apache-hosted set of DOM, SAX, and 
    JAXP interfaces for use in other xml-based projects. Our hope is that we 
    can standardize on both a common version and packaging scheme for these 
    critical XML standards interfaces to make the lives of both our developers 
    and users easier.

File Path: C:\Users\Queue\.m2\repository\xml-resolver\xml-resolver\1.2\xml-resolver-1.2.jar
MD5: 706c533146c1f4ee46b66659ea14583a
SHA1: 3d0f97750b3a03e0971831566067754ba4bfd68c
SHA256:47dcde8986019314ef78ae7280a94973a21d2ed95075a40a000b42da956429e1
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: xml-resolver:xml-resolver:1.2  Confidence:Highest

kafka_2.12-2.0.1.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\kafka\kafka_2.12\2.0.1\kafka_2.12-2.0.1.jar
MD5: 41c8cfbac1e3081492c4a376f9e0f272
SHA1: fe86050bef211a155ef32ce677f25e5ff86078cc
SHA256:45edbd62e4bcfb00786da132deeabee52fbf33ed17317337280a64d545111182
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kafka:kafka_2.12:2.0.1  Confidence:Highest
  • cpe: cpe:/a:apache:kafka:2.0.1  Confidence:Low  

lz4-java-1.4.1.jar

Description:

 Java ports and bindings of the LZ4 compression algorithm and the xxHash hashing algorithm

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\lz4\lz4-java\1.4.1\lz4-java-1.4.1.jar
MD5: 4eb33d16b03740ee0502ce4267b98838
SHA1: ad89b11ac280a2992d65e078af06f6709f1fe2fc
SHA256:f0efa5ce1318f0e3e734f35238dacc441c6510cb6f3fee6d1cfd3ebae15e2bef
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.lz4:lz4-java:1.4.1  Confidence:Highest

snappy-java-1.1.7.1.jar

Description:

 snappy-java: A fast compression/decompression library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\xerial\snappy\snappy-java\1.1.7.1\snappy-java-1.1.7.1.jar
MD5: b4f24dfcad1dea50175e516186961fe7
SHA1: d5190b41f3de61e3b83d692322d58630252bc8c3
SHA256:bb52854753feb1919f13099a53475a2a8eb65dbccd22839a9b9b2e1a2190b951
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.xerial.snappy:snappy-java:1.1.7.1  Confidence:Highest

jackson-databind-2.9.7.jar

Description:

 General data-binding functionality for Jackson: works on core streaming API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\fasterxml\jackson\core\jackson-databind\2.9.7\jackson-databind-2.9.7.jar
MD5: 2916db8b36f4078f07dd9580bccec6c2
SHA1: e6faad47abd3179666e89068485a1b88a195ceb7
SHA256:675376decfc070b039d2be773a97002f1ee1e1346d95bd99feee0d56683a92bf
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:fasterxml:jackson:2.9.7  Confidence:Low  
  • cpe: cpe:/a:fasterxml:jackson-databind:2.9.7  Confidence:Low  
  • maven: com.fasterxml.jackson.core:jackson-databind:2.9.7  Confidence:Highest

jackson-annotations-2.9.0.jar

Description:

 Core annotations used for value types, used by Jackson data binding package.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\fasterxml\jackson\core\jackson-annotations\2.9.0\jackson-annotations-2.9.0.jar
MD5: c09faa1b063681cf45706c6df50685b6
SHA1: 07c10d545325e3a6e72e06381afe469fd40eb701
SHA256:45d32ac61ef8a744b464c54c2b3414be571016dd46bfc2bec226761cf7ae457a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.fasterxml.jackson.core:jackson-annotations:2.9.0  Confidence:Highest
  • cpe: cpe:/a:fasterxml:jackson:2.9.0  Confidence:Low  

jackson-core-2.9.7.jar

Description:

 Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\fasterxml\jackson\core\jackson-core\2.9.7\jackson-core-2.9.7.jar
MD5: ae90e61fef491afefbc9c225b6497753
SHA1: 4b7f0e0dc527fab032e9800ed231080fdc3ac015
SHA256:9e5bc0efabd9f0cac5c1fdd9ae35b16332ed22a0ee19a356de370a18a8cb6c84
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:fasterxml:jackson:2.9.7  Confidence:Low  
  • maven: com.fasterxml.jackson.core:jackson-core:2.9.7  Confidence:Highest

jopt-simple-5.0.4.jar

Description:

 A Java library for parsing command line options

License:

The MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\net\sf\jopt-simple\jopt-simple\5.0.4\jopt-simple-5.0.4.jar
MD5: eb0d9dffe9b0eddead68fe678be76c49
SHA1: 4fdac2fbe92dfad86aa6e9301736f6b4342a3f5c
SHA256:df26cc58f235f477db07f753ba5a3ab243ebe5789d9f89ecf68dd62ea9a66c28
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: net.sf.jopt-simple:jopt-simple:5.0.4  Confidence:Highest

metrics-core-2.2.0.jar

File Path: C:\Users\Queue\.m2\repository\com\yammer\metrics\metrics-core\2.2.0\metrics-core-2.2.0.jar
MD5: e9f8554d1924149fbfbdd9a8b345dfbd
SHA1: f82c035cfa786d3cbec362c38c22a5f5b1bc8724
SHA256:6b7a14a6f34c10f8683f7b5e2f39df0f07b58c7dff0e468ebbc713905c46979c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.yammer.metrics:metrics-core:2.2.0  Confidence:Highest

scala-library-2.12.6.jar

Description:

 Standard library for the Scala Programming Language

License:

BSD 3-Clause: http://www.scala-lang.org/license.html
File Path: C:\Users\Queue\.m2\repository\org\scala-lang\scala-library\2.12.6\scala-library-2.12.6.jar
MD5: 7e419dade4331276805bbaaa91f9ec13
SHA1: 6bd975dd5ca2a50b94413b708389b892ae423181
SHA256:f81d7144f0ce1b8123335b72ba39003c4be2870767aca15dd0888ba3dab65e98
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:scala-lang:scala:2.12.6  Confidence:Low  
  • maven: org.scala-lang:scala-library:2.12.6  Confidence:Highest

scala-logging_2.12-3.9.0.jar

Description:

 scala-logging

License:

Apache 2.0 License: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: C:\Users\Queue\.m2\repository\com\typesafe\scala-logging\scala-logging_2.12\3.9.0\scala-logging_2.12-3.9.0.jar
MD5: 697a60600850806fc28f6ed543f4bd78
SHA1: b6c6bb584f3e5c2d3f20aa7c8ff3e6959870b13c
SHA256:58073c9891e26b99a12c1b501754d8447897913e023fdd37765b58e6377408bc
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.typesafe.scala-logging:scala-logging_2.12:3.9.0  Confidence:Highest

zkclient-0.10.jar

Description:

 A zookeeper client, that makes life a little easier.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\101tec\zkclient\0.10\zkclient-0.10.jar
MD5: d403d66b9b02fbd34db3ce0ad8870f9c
SHA1: c54d4b5a5e89af75a80b6d5857400165ce5188d0
SHA256:26e988b8bba838c724fd8350b331ee8b5ffc59c3a9c074df115c4c3a6c843878
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.101tec:zkclient:0.10  Confidence:Highest

zookeeper-3.4.13.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\zookeeper\zookeeper\3.4.13\zookeeper-3.4.13.jar
MD5: e4e19aa464ab4370c3ebf0c4fdec3e0c
SHA1: 31e9937541cef95c4585b547eb2dbd34d3a76f1c
SHA256:5f82a2d9ddadaa67a165fabc3488484cf3c2e26c0cc48138ace1fddd30f6e562
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:zookeeper:3.4.13  Confidence:Low  
  • maven: org.apache.zookeeper:zookeeper:3.4.13  Confidence:Highest

CVE-2018-8012  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

Vulnerable Software & Versions: (show all)

audience-annotations-0.5.0.jar

Description:

 Annotations for defining API boundaries and tools for managing javadocs

File Path: C:\Users\Queue\.m2\repository\org\apache\yetus\audience-annotations\0.5.0\audience-annotations-0.5.0.jar
MD5: 032788f0841d26b027957fe91f2cd696
SHA1: 55762d3191a8d6610ef46d11e8cb70c7667342a3
SHA256:c82631f06c75d46bf6524d95f0d6c2e3aef1b3eb4a7b584ca296624ef0d474be
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.yetus:audience-annotations:0.5.0  Confidence:Highest

orc-core-1.4.4.jar

Description:

 
    The core reader and writer for ORC files. Uses the vectorized column batch
    for the in memory representation.
  

File Path: C:\Users\Queue\.m2\repository\org\apache\orc\orc-core\1.4.4\orc-core-1.4.4.jar
MD5: 73be2595b312b3a56e3c76d38c8ba03f
SHA1: 476508098229470d38889adeff28515fe6636aae
SHA256:db976d0d5bf01f02baf0c80292f847233e55175bc1e3b080448ec5e4d90fbd35
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.orc:orc-core:1.4.4  Confidence:Highest

protobuf-java-2.5.0.jar

Description:

 
    Protocol Buffers are a way of encoding structured data in an efficient yet
    extensible format.
  

License:

New BSD license: http://www.opensource.org/licenses/bsd-license.php
File Path: C:\Users\Queue\.m2\repository\com\google\protobuf\protobuf-java\2.5.0\protobuf-java-2.5.0.jar
MD5: a44473b98947e2a54c54e0db1387d137
SHA1: a10732c76bfacdbd633a7eb0f7968b1059a65dfa
SHA256:e0c1c64575c005601725e7c6a02cebf9e1285e888f756b2a1d73ffa8d725cc74
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

commons-lang-2.6.jar

Description:

 
        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-lang\commons-lang\2.6\commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
SHA256:50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-lang:commons-lang:2.6  Confidence:Highest

aircompressor-0.8.jar

Description:

 Compression algorithms

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: C:\Users\Queue\.m2\repository\io\airlift\aircompressor\0.8\aircompressor-0.8.jar
MD5: 21a730eeeaf42f5f17ce531e8f6a314c
SHA1: e2516b38b6674adcc730a90a59cfd861c1da3e7e
SHA256:5ff153975c0d9be96ad454ddffdbfb1d2492f5e1fa342ea51950e0bdec3f8aef
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: io.airlift:aircompressor:0.8  Confidence:Highest

hive-storage-api-2.2.1.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\hive\hive-storage-api\2.2.1\hive-storage-api-2.2.1.jar
MD5: 74823981797a3db5af9b6d5af68d6146
SHA1: 57c9cfcabeb865ad41e6fdd92a46434803188494
SHA256:7b0e44425f86f2e15623ef12a688972327b545501012561a23cf9819bbc16286
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:hive:2.2.1  Confidence:Low  
  • maven: org.apache.hive:hive-storage-api:2.2.1  Confidence:Highest

camel-core-2.22.2.jar

Description:

 The Core Camel Java DSL based router

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\camel\camel-core\2.22.2\camel-core-2.22.2.jar
MD5: 62e1bf0e4c82a8f5846aa4c69873a602
SHA1: 3e11d682d1be9e43dbdac282037edee03a57f983
SHA256:9ec53348092f8f97c10af675404bda6c1a59c85ade9fc5d93472819abf33ecba
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:camel:2.22.2  Confidence:Low  
  • maven: org.apache.camel:camel-core:2.22.2  Confidence:Highest

jaxb-core-2.3.0.1.jar

Description:

 Old JAXB Core module. Contains sources required by XJC, JXC and Runtime modules with dependencies.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\com\sun\xml\bind\jaxb-core\2.3.0.1\jaxb-core-2.3.0.1.jar
MD5: 1025d4fdc74ea30f15f06203ed9cdf2d
SHA1: 23574ca124d0a694721ce3ef13cd720095f18fdd
SHA256:d2ecba63615f317a11fb55c6468f6a9480f6411c10951d9881bafd9a9a8d0467
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.sun.xml.bind:jaxb-core:2.3.0.1  Confidence:Highest

jaxb-impl-2.3.0.1.jar

Description:

 Old JAXB Runtime module. Contains sources required for runtime processing.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\com\sun\xml\bind\jaxb-impl\2.3.0.1\jaxb-impl-2.3.0.1.jar
MD5: 40a88fc2db1ea6cce763346ae066d829
SHA1: 2e979dabb3e5e74a0686115075956391a14dece8
SHA256:5ec7bb8dd5d36c9199131e06609409e4ea58bdd5d06fb361d8adfa8887b3c068
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.sun.xml.bind:jaxb-impl:2.3.0.1  Confidence:Highest

jenkins-core-2.85.jar

Description:

 Jenkins core code and view files to render HTML.

File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\main\jenkins-core\2.85\jenkins-core-2.85.jar
MD5: 29bab158c5430c08b038786ab76cc726
SHA1: f51fe3f392df18e6d776c272d73912003accc71e
SHA256:08a86644600bca6277e93e5199f2b9e1d58c0a274c3a692524e6bfbc4c0fef29
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:2.85  Confidence:Highest  
  • maven: org.jenkins-ci.main:jenkins-core:2.85  Confidence:Highest

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000503  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

CVE-2018-6356  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.

Vulnerable Software & Versions: (show all)

icon-set-1.0.5.jar

Description:

 
    Contains Jenkins icon-set code relied upon by both Jenkins Core and the icon "shim" plugin.
  

File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\plugins\icon-shim\icon-set\1.0.5\icon-set-1.0.5.jar
MD5: 60bebae291441885f0d35d141450cdf5
SHA1: dedc76ac61797dafc66f31e8507d65b98c9e57df
SHA256:5466e23ef32d050545c602b5b37646fd3425b3ddf20d7b4ae60103759d8aad35
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.0.5  Confidence:Low  
  • maven: org.jenkins-ci.plugins.icon-shim:icon-set:1.0.5  Confidence:Highest

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

remoting-3.13.jar

File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\main\remoting\3.13\remoting-3.13.jar
MD5: 82e2a9d35ca8389ce4cf8a78d51b75df
SHA1: 787c34c3eef65e10cc9fa90328b9285f793d220a
SHA256:18ae5ecb59833003d8f517d0750403ff0a5fd23877957352f0c4bbe9f15ba3c8
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci.main:remoting:3.13  Confidence:Highest
  • cpe: cpe:/a:jenkins:jenkins:3.13  Confidence:Low  

constant-pool-scanner-1.2.jar

Description:

 Simple utility to scan Java bytecode for class references in the constant pool.

License:

NetBeans CDDL/GPL: http://www.netbeans.org/cddl-gplv2.html
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\constant-pool-scanner\1.2\constant-pool-scanner-1.2.jar
MD5: a04ea81d440c7f10523b898c90dee1c9
SHA1: e5e0b7c7fcb67767dbd195e0ca1f0ee9406dd423
SHA256:375c4c5e95e91efc61233696ab4803454b01833665d1ab6f72c2f2c646fb1511
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:constant-pool-scanner:1.2  Confidence:Highest

cli-2.85.jar

Description:

 Command line interface for Jenkins

File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\main\cli\2.85\cli-2.85.jar
MD5: 6accffe0178ccbe6797d2d7ab8a4ab51
SHA1: ef730c900101468edc3a6f66dff6c23405385b9e
SHA256:2a13051eb7588f54cf22810b24fa80079ec08246e81f75af33aab19643993a79
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000503  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

CVE-2018-6356  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.

Vulnerable Software & Versions: (show all)

version-number-1.4.jar

License:

MIT License: https://opensource.org/licenses/MIT
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\version-number\1.4\version-number-1.4.jar
MD5: 34fb6fafece0fd877c80ea8da4a81937
SHA1: 5d0f2ea16514c0ec8de86c102ce61a7837e45eb8
SHA256:eec37ee19f3c2f420e4e231510bdff263622577795605cafa013862c5a0646b5
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:version-number:1.4  Confidence:Highest
  • cpe: cpe:/a:jenkins:jenkins:1.4  Confidence:Low  

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

crypto-util-1.1.jar

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\crypto-util\1.1\crypto-util-1.1.jar
MD5: cbc79ca21a2445ee9486d8c21bf417d9
SHA1: 3a199a4c3748012b9dbbf3080097dc9f302493d8
SHA256:9392781f12743306cd7bb300d04263c3e71964885db6a8245b6dc095b96cd139
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.1  Confidence:Low  
  • maven: org.jenkins-ci:crypto-util:1.1  Confidence:Highest

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

jtidy-4aug2000r7-dev-hudson-1.jar

Description:

 
    JTidy is a Java port of HTML Tidy, a HTML syntax checker and pretty printer. Like its non-Java cousin,
    JTidy can be used as a tool for cleaning up malformed and faulty HTML. In addition, JTidy provides a DOM parser
    for real-world HTML.
  
    Hudson modifications:
    =====================
    Removed SAX APIs
  

License:

Java HTML Tidy License: http://svn.sourceforge.net/viewvc/*checkout*/jtidy/trunk/jtidy/LICENSE.txt?revision=95
File Path: C:\Users\Queue\.m2\repository\org\jvnet\hudson\jtidy\4aug2000r7-dev-hudson-1\jtidy-4aug2000r7-dev-hudson-1.jar
MD5: 1f014d4bfe25ab914f8bc45eb9371d10
SHA1: ad8553d0acfa6e741d21d5b2c2beb737972ab7c7
SHA256:d9fdeb9be5b7b53a10a50cf70629288c039f219bb4b0cfd407354ebf4f163884
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet.hudson:jtidy:4aug2000r7-dev-hudson-1  Confidence:Highest
  • cpe: cpe:/a:html-tidy:tidy:-  Confidence:Low  

guice-4.0.jar

Description:

 Guice is a lightweight dependency injection framework for Java 6 and above

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\google\inject\guice\4.0\guice-4.0.jar
MD5: 969e114e22733923ba147331dd779ed5
SHA1: 0f990a43d3725781b6db7cd0acf0a8b62dfd1649
SHA256:b378ffc35e7f7125b3c5f3a461d4591ae1685e3c781392f0c854ed7b7581d6d2
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.google.inject:guice:4.0  Confidence:Highest

aopalliance-1.0.jar

Description:

 AOP Alliance

License:

Public Domain
File Path: C:\Users\Queue\.m2\repository\aopalliance\aopalliance\1.0\aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
SHA256:0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: aopalliance:aopalliance:1.0  Confidence:Highest

jna-posix-1.0.3-jenkins-1.jar

Description:

 
    Common cross-project/cross-platform POSIX APIs
  

License:

Common Public License - v 1.0: http://www-128.ibm.com/developerworks/library/os-cpl.html
GNU General Public License Version 2: http://www.gnu.org/copyleft/gpl.html
GNU Lesser General Public License Version 2.1: http://www.gnu.org/licenses/lgpl.html
File Path: C:\Users\Queue\.m2\repository\org\jruby\ext\posix\jna-posix\1.0.3-jenkins-1\jna-posix-1.0.3-jenkins-1.jar
MD5: 1a21cb979328da73fb57c78da7ce99b9
SHA1: fb1148cc8192614ec1418d414f7b6026cc0ec71b
SHA256:a19f5d74168127165ab3f74561f64d22085fcfe674c4b063edfa0bb1130cd0c4
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jruby.ext.posix:jna-posix:1.0.3-jenkins-1  Confidence:Highest
  • cpe: cpe:/a:jruby:jruby:1.0.3  Confidence:Highest  

CVE-2010-1330  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.

Vulnerable Software & Versions: (show all)

CVE-2011-4838  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

Vulnerable Software & Versions: (show all)

CVE-2012-5370  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-310 Cryptographic Issues

JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.

Vulnerable Software & Versions:

jnr-posix-3.0.41.jar

Description:

 
    Common cross-project/cross-platform POSIX APIs
  

License:

Common Public License - v 1.0: http://www-128.ibm.com/developerworks/library/os-cpl.html
GNU General Public License Version 2: http://www.gnu.org/copyleft/gpl.html
GNU Lesser General Public License Version 2.1: http://www.gnu.org/licenses/lgpl.html
File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jnr-posix\3.0.41\jnr-posix-3.0.41.jar
MD5: 07241a2f1ae0dbeeb7ae507987894b48
SHA1: 36eff018149e53ed814a340ddb7de73ceb66bf96
SHA256:82a3fd116ffca4cf135c46eda3e377bb87d06f43484ba1bc2e9e1bfee5c7a881
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.github.jnr:jnr-posix:3.0.41  Confidence:Highest

jnr-ffi-2.1.4.jar

Description:

 A library for invoking native functions from java

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jnr-ffi\2.1.4\jnr-ffi-2.1.4.jar
MD5: c35450666e9b727234441ba6d9bddae7
SHA1: 0a63bbd4af5cee55d820ef40dc5347d45765b788
SHA256:64745a3de74257eef1d32af7cf98c4928be0f6c5d72c11729cd500db21c5d478
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.github.jnr:jnr-ffi:2.1.4  Confidence:Highest

jffi-1.2.15.jar

Description:

 Java Foreign Function Interface

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jffi\1.2.15\jffi-1.2.15.jar
MD5: 11dcf53713798b7f9e4aec8be9cdb6ec
SHA1: f480f0234dd8f053da2421e60574cfbd9d85e1f5
SHA256:cc44e09e92eadb49526acdcfe3b4998faf3060dbc814ead1891be045dce077e1
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.github.jnr:jffi:1.2.15  Confidence:Highest

jffi-1.2.15-native.jar

Description:

 Java Foreign Function Interface - Native Libraries

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jffi\1.2.15\jffi-1.2.15-native.jar
MD5: 2c5d222a117cc3d522f6eb610f3d1d63
SHA1: 053f344e9e60e16f648dc66ce7cb8b1e7499b2a9
SHA256:c702a59929c1ad8b3b655c852492f153baeffdd251f0c68342d77df87b8ffabb
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.github.jnr:jffi:1.2.15  Confidence:Highest

asm-analysis-5.0.3.jar

File Path: C:\Users\Queue\.m2\repository\org\ow2\asm\asm-analysis\5.0.3\asm-analysis-5.0.3.jar
MD5: f4bd5c076645f8004663cc35044fdb32
SHA1: c7126aded0e8e13fed5f913559a0dd7b770a10f3
SHA256:e8fa2a63462c96557dcd36c25525e1264b77366ff851cf0b94eb7592b290849d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.ow2.asm:asm-analysis:5.0.3  Confidence:Highest

asm-tree-5.0.3.jar

File Path: C:\Users\Queue\.m2\repository\org\ow2\asm\asm-tree\5.0.3\asm-tree-5.0.3.jar
MD5: 94abc9b0126e1ec2c12625dfce54e32e
SHA1: 287749b48ba7162fb67c93a026d690b29f410bed
SHA256:347a7a9400f9964e87c91d3980e48eebdc8d024bc3b36f7f22189c662853a51c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.ow2.asm:asm-tree:5.0.3  Confidence:Highest

asm-util-5.0.3.jar

File Path: C:\Users\Queue\.m2\repository\org\ow2\asm\asm-util\5.0.3\asm-util-5.0.3.jar
MD5: 85b23e37383c7bb9200a2ad5067842e1
SHA1: 1512e5571325854b05fb1efce1db75fcced54389
SHA256:2768edbfa2681b5077f08151de586a6d66b916703cda3ab297e58b41ae8f2362
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.ow2.asm:asm-util:5.0.3  Confidence:Highest

jnr-x86asm-1.0.2.jar

Description:

 A pure-java X86 and X86_64 assembler

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jnr-x86asm\1.0.2\jnr-x86asm-1.0.2.jar
MD5: 00670735acb2a9d1421b506dc7d338bc
SHA1: 006936bbd6c5b235665d87bd450f5e13b52d4b48
SHA256:39f3675b910e6e9b93825f8284bec9f4ad3044cd20a6f7c8ff9e2f8695ebf21e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.github.jnr:jnr-x86asm:1.0.2  Confidence:Highest

jnr-constants-0.9.8.jar

Description:

 A set of platform constants (e.g. errno values)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jnr-constants\0.9.8\jnr-constants-0.9.8.jar
MD5: 46ba73140708687f18420bbb4d46a931
SHA1: 478036404879bd582be79e9a7939f3a161601c8b
SHA256:bcd68e9b3d3fb61cd1dc868897fcbd5380fa091092575c343dfd98d34715cef3
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.github.jnr:jnr-constants:0.9.8  Confidence:Highest

trilead-putty-extension-1.2.jar

Description:

 Loads SSH key in the PuTTY format

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\trilead-putty-extension\1.2\trilead-putty-extension-1.2.jar
MD5: aef481868db6ebe61a4cf38a6cdff1ee
SHA1: 0f2f41517e1f73be8e319da27a69e0dc0c524bf6
SHA256:bda184d64b933a6f9c3588102e66f32f69d2e73575df486ff835c30695c432c6
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke:trilead-putty-extension:1.2  Confidence:Highest
  • cpe: cpe:/a:putty:putty:1.2  Confidence:Low  

trilead-ssh2-build-217-jenkins-11.jar

Description:

 Ganymed SSH2 for Java is a library which implements the SSH-2 protocol in pure Java

License:

BSD style license: http://www.ganymed.ethz.ch/ssh2/LICENSE.txt
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\trilead-ssh2\build-217-jenkins-11\trilead-ssh2-build-217-jenkins-11.jar
MD5: 6eac2fb5ac3a4b3794477d61c7d3726f
SHA1: f10f4dd4121cc233cac229c51adb4775960fee0a
SHA256:3fa3f32d7f5327b4fbd57cfbf4818873283b55a63641d6984d89380e528af0ee
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:trilead-ssh2:build-217-jenkins-11  Confidence:Highest
  • cpe: cpe:/a:jenkins:ssh:-  Confidence:Low  

CVE-2017-1000245  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management

The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol. User passwords and passphrases for encrypted SSH keys are stored in plaintext in a configuration file.

Vulnerable Software & Versions:

eddsa-0.2.0.jar

Description:

 Implementation of EdDSA in Java

License:

CC0 1.0 Universal: https://creativecommons.org/publicdomain/zero/1.0/
File Path: C:\Users\Queue\.m2\repository\net\i2p\crypto\eddsa\0.2.0\eddsa-0.2.0.jar
MD5: e51a52bcf7083fe3fb36e5dc5eb18047
SHA1: 0856a92559c4daf744cb27c93cd8b7eb1f8c4780
SHA256:a7cb1b85c16e2f0730b9204106929a1d9aaae1df728adc7041a8b8b605692140
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: net.i2p.crypto:eddsa:0.2.0  Confidence:Highest

jbcrypt-1.0.0.jar

Description:

 A Java language version of the BCrypt algorithm

License:

ISC: https://www.isc.org/downloads/software-support-policy/isc-license/
File Path: C:\Users\Queue\.m2\repository\org\connectbot\jbcrypt\jbcrypt\1.0.0\jbcrypt-1.0.0.jar
MD5: 80f775383fdab1615f6a123336a3db3a
SHA1: f37bba2b8b78fcc8111bb932318b621dcc6c5194
SHA256:5e1f9f07014cd9f4b8a517b18c2c9fff84a7e5a27116accc1f1cc22244e238c1
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:mindrot:jbcrypt:1.0.0  Confidence:Low  
  • maven: org.connectbot.jbcrypt:jbcrypt:1.0.0  Confidence:Highest

stapler-groovy-1.252.jar

Description:

 Groovy binding for Stapler

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\stapler-groovy\1.252\stapler-groovy-1.252.jar
MD5: cce9bd5248af03370347f25989920b38
SHA1: b612f40b5f37fd77ae1dd5bea7e5d57fefe62f58
SHA256:d345664bf2c6ff542b368469b06fe8f4895a349cab17b6cbffad7c3f592c798e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:stapler-groovy:1.252  Confidence:Highest

stapler-jelly-1.252.jar

Description:

 Jelly binding for Stapler

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\stapler-jelly\1.252\stapler-jelly-1.252.jar
MD5: ea8ad335dc8893090e1971f1fa64e218
SHA1: e4ac017e0d0b8af40d628fa9b778b3dbcdbfbfbb
SHA256:94e315947c05ea17864238ec07f81b65bbaad8498387ed738032e05fb32357d3
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:stapler-jelly:1.252  Confidence:Highest

commons-jelly-1.1-jenkins-20120928.jar

Description:

 Jelly is a Java and XML based scripting engine. Jelly combines the best ideas from JSTL, Velocity, DVSL, Ant and Cocoon all together in a simple yet powerful scripting engine.

File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\commons-jelly\1.1-jenkins-20120928\commons-jelly-1.1-jenkins-20120928.jar
MD5: c0fc39ae35a97354654267c12d4f86c1
SHA1: 2720a0d54b7f32479b08970d7738041362e1f410
SHA256:73dc26fd3fb5b45006266cc2aa1d8cfa784d0e4406dc635881cf2670e502e97e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:apache:commons-jelly:1.1  Confidence:Low  
  • maven: org.jenkins-ci:commons-jelly:1.1-jenkins-20120928  Confidence:Highest

dom4j-1.6.1-jenkins-4.jar

Description:

 dom4j: the flexible XML framework for Java

File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\dom4j\dom4j\1.6.1-jenkins-4\dom4j-1.6.1-jenkins-4.jar
MD5: 4dc597b3ac3d2fb40a444a66e7bfebad
SHA1: 9a370b2010b5a1223c7a43dae6c05226918e17b1
SHA256:266389dc65896f73950c4c75ad42e3ee9f839ded8e6c76479ed11103fb25b547
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

CVE-2018-1000632  

Severity:Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-91 XML Injection (aka Blind XPath Injection)

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Vulnerable Software & Versions: (show all)

stapler-jrebel-1.252.jar

Description:

 JRebel reloading support for Stapler

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\stapler-jrebel\1.252\stapler-jrebel-1.252.jar
MD5: baed6459ef05d6383e3a20d22c1c2f57
SHA1: deb4460a782979240315ecec292b72a7d614ced1
SHA256:e901dba90d421c4209c1cdb5fdf240df53a5070527e4cd47e355f0e238a4fcfa
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:stapler-jrebel:1.252  Confidence:Highest

stapler-1.252.jar

Description:

 Stapler HTTP request handling engine

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\stapler\1.252\stapler-1.252.jar
MD5: e87b6153b1c0fd0aa69456dc0f097662
SHA1: 25a30b46544c24fc0313d7b0b3493e98d0f06c7a
SHA256:9a4627633e7c224e05ca14c01b98c49997e82624727e581936ecc17e7fcb0582
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:stapler:1.252  Confidence:Highest

commons-discovery-0.4.jar

Description:

 Commons Discovery

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: C:\Users\Queue\.m2\repository\commons-discovery\commons-discovery\0.4\commons-discovery-0.4.jar
MD5: cdbb606faa974f9361a85d6df53aeb9f
SHA1: 9e3417d3866d9f71e83b959b229b35dc723c7bea
SHA256:97d264e2f98821c4cd39eacfd597b4dc7c19d4232cf1f335fc2eab389b2d92fd
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: commons-discovery:commons-discovery:0.4  Confidence:Highest

tiger-types-2.2.jar

License:

CDDL/GPLv2 dual license: http://www.opensource.org/licenses/cddl1.php
File Path: C:\Users\Queue\.m2\repository\org\jvnet\tiger-types\2.2\tiger-types-2.2.jar
MD5: dcc9eb485a88b85473fc70752a4a8473
SHA1: 7ddc6bbc8ca59be8879d3a943bf77517ec190f39
SHA256:37af58e5972b3a6678f0dca5932fae99cbe12c73f00f35b939c2ac27e791034c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet:tiger-types:2.2  Confidence:Highest

windows-package-checker-1.2.jar

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\windows-package-checker\1.2\windows-package-checker-1.2.jar
MD5: d940ebb88b630260d295bb50246c3553
SHA1: 86b5d2f9023633808d65dbcfdfd50dc5ad3ca31f
SHA256:602f868ff050409f9cd5e9ced3a53c44f8ac7faca105b66d40a47dcc76f5a68f
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke:windows-package-checker:1.2  Confidence:Highest

stapler-adjunct-zeroclipboard-1.3.5-1.jar

License:

MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\stapler-adjunct-zeroclipboard\1.3.5-1\stapler-adjunct-zeroclipboard-1.3.5-1.jar
MD5: 2fa83c1a4c2ba8c7253224fefe72f307
SHA1: 20184ea79888b55b6629e4479615b52f88b55173
SHA256:2116fb55ae05710db2a86f379f18617de3148f595c46a31d461833397540d3e8
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:stapler-adjunct-zeroclipboard:1.3.5-1  Confidence:Highest
  • cpe: cpe:/a:zeroclipboard_project:zeroclipboard:1.3.5.1  Confidence:Low  

stapler-adjunct-timeline-1.5.jar

License:

BSD License: http://simile.mit.edu/license.html
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\stapler-adjunct-timeline\1.5\stapler-adjunct-timeline-1.5.jar
MD5: 2d7da40a2c10d1c12b07a831fcf76710
SHA1: 3fa806cbb94679ceab9c1ecaaf5fea8207390cb7
SHA256:5e9f38e58a37fdcdf737c22d87beef13a42186bfd10caa7a7b653d6fdad47df5
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:stapler-adjunct-timeline:1.5  Confidence:Highest

stapler-adjunct-codemirror-1.3.jar

License:

MIT License: http://codemirror.net/LICENSE
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\stapler-adjunct-codemirror\1.3\stapler-adjunct-codemirror-1.3.jar
MD5: 5ebb241efd642d6985b89d56b8d640c8
SHA1: fd1d45544400d2a4da6dfee9e60edd4ec3368806
SHA256:86805045ff832db5dd30bce3a3303c8004d2373a495556a06a61bc107518d7cc
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:stapler-adjunct-codemirror:1.3  Confidence:Highest

bridge-method-annotation-1.13.jar

File Path: C:\Users\Queue\.m2\repository\com\infradna\tool\bridge-method-annotation\1.13\bridge-method-annotation-1.13.jar
MD5: 2ee1c4c795c0c749988760d3f3b14ff5
SHA1: 18cdce50cde6f54ee5390d0907384f72183ff0fe
SHA256:2bc0d11e078c6ee0c0f9a781aa12d9f2d78807e1c026952f834ca77cfaa1dd04
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.infradna.tool:bridge-method-annotation:1.13  Confidence:Highest

json-lib-2.4-jenkins-2.jar

Description:

 
      Java library for transforming beans, maps, collections, java
      arrays and XML to JSON.
   

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\stapler\json-lib\2.4-jenkins-2\json-lib-2.4-jenkins-2.jar
MD5: 89af908e408eedc0c3abd5a1a08e29de
SHA1: 7f4f9016d8c8b316ecbe68afe7c26df06d301366
SHA256:2ba2ac0f4e73e8f2a485903a014371bc2f72e3074d78970a97f4a5c8ff64551b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.stapler:json-lib:2.4-jenkins-2  Confidence:Highest

ezmorph-1.0.6.jar

Description:

 
      Simple java library for transforming an Object to another Object.
   

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\net\sf\ezmorph\ezmorph\1.0.6\ezmorph-1.0.6.jar
MD5: 1fa113c6aacf3a01af1449df77acd474
SHA1: 01e55d2a0253ea37745d33062852fd2c90027432
SHA256:2be06a2380f8656426b5c610db694bbd75314caf3e9191affcd7942721398ed7
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: net.sf.ezmorph:ezmorph:1.0.6  Confidence:Highest

commons-httpclient-3.1-jenkins-1.jar

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-httpclient\commons-httpclient\3.1-jenkins-1\commons-httpclient-3.1-jenkins-1.jar
MD5: ad5ec7aacd1ac02da980118e3d0d8389
SHA1: a75a5917272ea09a24e6a4d9fc0b88a382341d22
SHA256:62a97f761fcbc527d7cb42d92376a92b6f18f08144501c5ac855ec581a0d5883
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: commons-httpclient:commons-httpclient:3.1-jenkins-1  Confidence:Highest
  • cpe: cpe:/a:jenkins:jenkins:3.1  Confidence:Low  

junit-4.12.jar

Description:

 JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.

License:

Eclipse Public License 1.0: http://www.eclipse.org/legal/epl-v10.html
File Path: C:\Users\Queue\.m2\repository\junit\junit\4.12\junit-4.12.jar
MD5: 5b38c40c97fbd0adee29f91e60405584
SHA1: 2973d150c0dc1fefe998f834810d68f278ea58ec
SHA256:59721f0805e223d84b90677887d9ff567dc534d7c502ca903c0c2b17f05c116a
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: junit:junit:4.12  Confidence:Highest

hamcrest-core-1.3.jar

Description:

 
    This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.
  

File Path: C:\Users\Queue\.m2\repository\org\hamcrest\hamcrest-core\1.3\hamcrest-core-1.3.jar
MD5: 6393363b47ddcbba82321110c3e07519
SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0
SHA256:66fdef91e9739348df7a096aa384a5685f4e875584cce89386a7a47251c4d8e9
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.hamcrest:hamcrest-core:1.3  Confidence:Highest

args4j-2.0.31.jar

Description:

 args4j : Java command line arguments parser

License:

http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\args4j\args4j\2.0.31\args4j-2.0.31.jar
MD5: c71452dc7aee7e24fc88ceb6d9601329
SHA1: 6b870d81551ce93c5c776c3046299db8ad6c39d2
SHA256:2d08e1b232e46be8fb6b6596faf48d64be509449ce3799de758d953ba6380e7a
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: args4j:args4j:2.0.31  Confidence:Highest

annotation-indexer-1.12.jar

Description:

 
    Creates index of annotations.
  

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\annotation-indexer\1.12\annotation-indexer-1.12.jar
MD5: e13728f2461e931ecf66e45415e89363
SHA1: 8f6ee0cd64c305dcca29e2f5b46631d50890208f
SHA256:7e6004ae3b641de60046b728ad5d3005b81b546eaef9f268f05689dc084bf253
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:annotation-indexer:1.12  Confidence:Highest

bytecode-compatibility-transformer-1.8.jar

License:

The MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\bytecode-compatibility-transformer\1.8\bytecode-compatibility-transformer-1.8.jar
MD5: 49f5ddadbc4db1b1d335ab767820aae0
SHA1: aded88ffe12f1904758397f96f16957e97b88e6e
SHA256:fdc28e643b823211939f59f0b51438289499482c50437abd21aad29b94428810
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.8  Confidence:Low  
  • maven: org.jenkins-ci:bytecode-compatibility-transformer:1.8  Confidence:Highest

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

asm5-5.0.1.jar

Description:

 ObjectWeb ASM package-renamed to isolate incompatibilities between major versions

License:

BSD License: http://asm.ow2.org/license.html
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\asm5\5.0.1\asm5-5.0.1.jar
MD5: 3fa9de5c3c3bb6847366d777b9e6c518
SHA1: 71ab0620a41ed37f626b96d80c2a7c58165550df
SHA256:442c6c06d4dfac1afba4ddd31eec54d3dcabc78a37d70baa81455d41b84fb967
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke:asm5:5.0.1  Confidence:Highest

task-reactor-1.4.jar

License:

MIT License: http://jenkins-ci.org/mit-license
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\task-reactor\1.4\task-reactor-1.4.jar
MD5: e102edb5dabfc6194eec1df6b6ee1baf
SHA1: b89e501a3bc64fe9f28cb91efe75ed8745974ef8
SHA256:2d9ea1795e96735b7c0b2124c181ac10e71705f7ea1e28038a7244b0ced15841
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:task-reactor:1.4  Confidence:Highest
  • cpe: cpe:/a:jenkins:jenkins:1.4  Confidence:Low  

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

localizer-1.24.jar

File Path: C:\Users\Queue\.m2\repository\org\jvnet\localizer\localizer\1.24\localizer-1.24.jar
MD5: d06fc8bcd455039c6a235004da730c04
SHA1: e20e7668dbf36e8d354dab922b89adb6273b703f
SHA256:ad259f52e1453e1fe02bbbbf4cd86871bdf3ef3bb59cb04b33907d43daea80b9
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet.localizer:localizer:1.24  Confidence:Highest

antlr-2.7.6.jar

File Path: C:\Users\Queue\.m2\repository\antlr\antlr\2.7.6\antlr-2.7.6.jar
MD5: 97c6bb68108a3d68094eab0f67157962
SHA1: cf4f67dae5df4f9932ae7810f4548ef3e14dd35e
SHA256:df74f330d36526ff9e717731fd855152fcff51618f0b5785d0049022f89d568b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: antlr:antlr:2.7.6  Confidence:Highest

xstream-1.4.7-jenkins-1.jar

Description:

 XStream is a serialization library from Java objects to XML and back.

License:

http://xstream.codehaus.org/license.html
File Path: C:\Users\Queue\.m2\repository\org\jvnet\hudson\xstream\1.4.7-jenkins-1\xstream-1.4.7-jenkins-1.jar
MD5: 6b27008bd6cb5f4cc430e219d785313a
SHA1: 161ed1603117c2d37b864f81a0d62f36cf7e958a
SHA256:405fdd4c2e594756d2e7948acbef3b1cbe13fb024dc441a2fc8d492deb48cec3
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:xstream_project:xstream:1.4.7  Confidence:Low  
  • maven: org.jvnet.hudson:xstream:1.4.7-jenkins-1  Confidence:Highest

CVE-2016-3674  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.

Vulnerable Software & Versions:

CVE-2017-7957  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.

Vulnerable Software & Versions:

jfreechart-1.0.9.jar

Description:

 
        JFreeChart is a class library, written in Java, for generating charts. Utilising the Java2D APIs, it currently
        supports bar charts, pie charts, line charts, XY-plots and time series plots.
    

License:

GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
File Path: C:\Users\Queue\.m2\repository\jfree\jfreechart\1.0.9\jfreechart-1.0.9.jar
MD5: e40fdcd9dcf52833f3a9b2e63f1f438c
SHA1: 6e522aa603bf7ac69da59edcf519b335490e93a6
SHA256:4a2a1eb6d188a43e1e97bb7c7d204a5bdd1aaec0d82203cf1b1156ff697d7f8e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: jfree:jfreechart:1.0.9  Confidence:Highest

jcommon-1.0.12.jar

Description:

 
        JCommon is a free general purpose Java class library that is used in several projects at www.jfree.org,
        including JFreeChart and JFreeReport.
    

License:

GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
File Path: C:\Users\Queue\.m2\repository\jfree\jcommon\1.0.12\jcommon-1.0.12.jar
MD5: 99bc885bb5c68be1c09ed23c997df5ac
SHA1: 737f02607d2f45bb1a589a85c63b4cd907e5e634
SHA256:34dd367ad34ae0baa5d5430fc9a13db1d12d66e29477cbb453ca92f5084a4e7b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: jfree:jcommon:1.0.12  Confidence:Highest

ant-1.8.4.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\ant\ant\1.8.4\ant-1.8.4.jar
MD5: 067d9414ebe343fd1b229cfe9c928a84
SHA1: 8acff3fb57e74bc062d4675d9dcfaffa0d524972
SHA256:ffc5818ca8cde2ed111d9d6c6763d301429ad9897582f0968b80c1a136e9dba4
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.apache.ant:ant:1.8.4  Confidence:Highest

ant-launcher-1.8.4.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\ant\ant-launcher\1.8.4\ant-launcher-1.8.4.jar
MD5: 77ee843cb323c5ce1a244a16438ea9da
SHA1: 22f1e0c32a2bfc8edd45520db176bac98cebbbfe
SHA256:4394951e8d8533732bf5745f4e7bffa721228c7d5475a2d5f143cb35ed9c2941
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.apache.ant:ant-launcher:1.8.4  Confidence:Highest

commons-io-2.4.jar

Description:

 
The Commons IO library contains utility classes, stream implementations, file filters, 
file comparators, endian transformation classes, and much more.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-io\commons-io\2.4\commons-io-2.4.jar
MD5: 7f97854dc04c119d461fed14f5d8bb96
SHA1: b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
SHA256:cc6a41dc3eaacc9e440a6bd0d2890b20d36b4ee408fe2d67122f328bb6e01581
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-io:commons-io:2.4  Confidence:Highest

commons-digester-2.1.jar

Description:

 
    The Digester package lets you configure an XML to Java object mapping module
    which triggers certain actions called rules whenever a particular 
    pattern of nested XML elements is recognized.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-digester\commons-digester\2.1\commons-digester-2.1.jar
MD5: 528445033f22da28f5047b6abcd1c7c9
SHA1: 73a8001e7a54a255eef0f03521ec1805dc738ca0
SHA256:e0b2b980a84fc6533c5ce291f1917b32c507f62bcad64198fff44368c2196a3d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: commons-digester:commons-digester:2.1  Confidence:Highest

commons-compress-1.10.jar

Description:

 
Apache Commons Compress software defines an API for working with
compression and archive formats.  These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio,
jar, tar, zip, dump, 7z, arj.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\commons\commons-compress\1.10\commons-compress-1.10.jar
MD5: c1169464be26d435f268f03918b6baf7
SHA1: 5eeb27c57eece1faf2d837868aeccc94d84dcc9a
SHA256:807c95293e41e8159477442077da6d0962a7f486d4b980be61f60a8db9cb290f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:commons-compress:1.10  Confidence:Low  
  • maven: org.apache.commons:commons-compress:1.10  Confidence:Highest

mail-1.4.4.jar

Description:

 JavaMail API (compat)

License:

http://www.sun.com/cddl, https://glassfish.dev.java.net/public/CDDL+GPL.html
File Path: C:\Users\Queue\.m2\repository\javax\mail\mail\1.4.4\mail-1.4.4.jar
MD5: f30453ae9ee252c802d349009742065f
SHA1: b907ef0a02ff6e809392b1e7149198497fcc8e49
SHA256:e02be269ddd475651248889892f5dcaebb9058d5d3afef2c5b5dc391f2471528
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

activation-1.1.1-hudson-1.jar

Description:

 Java Activation Framework with patch

File Path: C:\Users\Queue\.m2\repository\org\jvnet\hudson\activation\1.1.1-hudson-1\activation-1.1.1-hudson-1.jar
MD5: 8adfc4a9b8c3b2f7beae53e5ce8fdb73
SHA1: 7957d80444223277f84676aabd5b0421b65888c4
SHA256:aaa496cc667efb3f4c5e8960390ec5d3f8964a58970a3cb7ebe462054690e254
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet.hudson:activation:1.1.1-hudson-1  Confidence:Highest

jaxen-1.1-beta-11.jar

Description:

 Jaxen is a universal Java XPath engine.

File Path: C:\Users\Queue\.m2\repository\jaxen\jaxen\1.1-beta-11\jaxen-1.1-beta-11.jar
MD5: 6b0c65b0db4e60c6e5daadf65cac1192
SHA1: 81e32b8bafcc778e5deea4e784670299f1c26b96
SHA256:199d144dda603c8f936df60421c43f2707676be1163d4330163f36731944a304
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: jaxen:jaxen:1.1-beta-11  Confidence:Highest

commons-jelly-tags-fmt-1.0.jar

File Path: C:\Users\Queue\.m2\repository\commons-jelly\commons-jelly-tags-fmt\1.0\commons-jelly-tags-fmt-1.0.jar
MD5: ff110c950c9fcf08e98a325f6708ba78
SHA1: 2107da38fdd287ab78a4fa65c1300b5ad9999274
SHA256:509e873164cf7c5b62b7a5285340ac0f59d92bbd861b78c91322a27e91f24638
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: commons-jelly:commons-jelly-tags-fmt:1.0  Confidence:Highest
  • cpe: cpe:/a:apache:commons-jelly:1.0.1.rc6  Confidence:Low  

CVE-2017-12621  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.

Vulnerable Software & Versions:

commons-jelly-tags-xml-1.1.jar

Description:

 The Jelly XML Tag Library

File Path: C:\Users\Queue\.m2\repository\commons-jelly\commons-jelly-tags-xml\1.1\commons-jelly-tags-xml-1.1.jar
MD5: 249d2afad4d419a8139549ca2ab8a05a
SHA1: cc0efc2ae0ff81ef7737afc786a0ce16a8540efc
SHA256:416c0eb9a03cb6fe212982e133d0ddcbf204946e2c0006855f25f494f50646d8
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:apache:commons-jelly:1.1  Confidence:Low  
  • maven: commons-jelly:commons-jelly-tags-xml:1.1  Confidence:Highest

commons-jelly-tags-define-1.0.1-hudson-20071021.jar

Description:

 The Jelly Define Tag Library

File Path: C:\Users\Queue\.m2\repository\org\jvnet\hudson\commons-jelly-tags-define\1.0.1-hudson-20071021\commons-jelly-tags-define-1.0.1-hudson-20071021.jar
MD5: 1d6763fb2a89c9fe54f75e69ded222f5
SHA1: 8b952d0e504ee505d234853119e5648441894234
SHA256:943b68fe8ff055234b5799579e6dcc70ffa8e94a3f4c8f2fd10f77ced98b2c0d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet.hudson:commons-jelly-tags-define:1.0.1-hudson-20071021  Confidence:Highest
  • cpe: cpe:/a:apache:commons-jelly:1.0.1.rc6  Confidence:Low  

CVE-2017-12621  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks in Apache Commons Jelly before 1.0.1.

Vulnerable Software & Versions:

commons-jexl-1.1-jenkins-20111212.jar

Description:

 Jexl is an implementation of the JSTL Expression Language with extensions.

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\commons-jexl\1.1-jenkins-20111212\commons-jexl-1.1-jenkins-20111212.jar
MD5: 6ac1813e9e680f10aa01e5bfa06a7f22
SHA1: 0a990a77bea8c5a400d58a6f5d98122236300f7d
SHA256:3d1e5c11e50862187b13a267afaf14257276c4e311f35305630b3dd690e73eba
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:commons-jexl:1.1-jenkins-20111212  Confidence:Highest

acegi-security-1.0.7.jar

File Path: C:\Users\Queue\.m2\repository\org\acegisecurity\acegi-security\1.0.7\acegi-security-1.0.7.jar
MD5: 355696bb2e3d3c9892543396271d4d79
SHA1: 72901120d299e0c6ed2f6a23dd37f9186eeb8cc3
SHA256:c59e0363a1f9d262da3bc6ac5a37d661372e14d8cb4f5afca734c815e7529a0b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

CVE-2010-3700  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter.

Vulnerable Software & Versions: (show all)

spring-dao-1.2.9.jar

Description:

 Spring Framework: DAO

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\springframework\spring-dao\1.2.9\spring-dao-1.2.9.jar
MD5: 2396ea4e1942a5fc7950cd4478120ec7
SHA1: 6f90baf86fc833cac3c677a8f35d3333ed86baea
SHA256:4b1410d6d81a6cea35a6152e257262874d87a66634fe1fc3dd281a3a5e9d46de
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:pivotal_software:spring_framework:1.2.9  Confidence:Low  
  • cpe: cpe:/a:springsource:spring_framework:1.2.9  Confidence:Low  
  • cpe: cpe:/a:pivotal:spring_framework:1.2.9  Confidence:Low  
  • maven: org.springframework:spring-dao:1.2.9  Confidence:Highest
  • cpe: cpe:/a:vmware:springsource_spring_framework:1.2.9  Confidence:Low  

CVE-2011-2730  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."

Vulnerable Software & Versions: (show all)

CVE-2013-4152  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2013-6429  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Vulnerable Software & Versions: (show all)

CVE-2014-1904  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

oro-2.0.8.jar

File Path: C:\Users\Queue\.m2\repository\oro\oro\2.0.8\oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
SHA256:e00ccdad5df7eb43fdee44232ef64602bf63807c2d133a7be83ba09fd49af26e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: oro:oro:2.0.8  Confidence:Highest

groovy-all-2.4.11.jar

Description:

 Groovy: A powerful, dynamic language for the JVM

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\codehaus\groovy\groovy-all\2.4.11\groovy-all-2.4.11.jar
MD5: 68623b263afb092052615d3cd73117fc
SHA1: 444a64af79c540aad257e49d95050e7c189f1309
SHA256:f48485659f0694d81bf2e547874fd2617aa4312412dfcbb968175638e8b146fb
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

jline-2.12.jar

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: C:\Users\Queue\.m2\repository\jline\jline\2.12\jline-2.12.jar
MD5: 391c352dda90e0e16aa129286d72f2c7
SHA1: ce9062c6a125e0f9ad766032573c041ae8ecc986
SHA256:d34b45c8ca4359c65ae61e406339022e4731c739bc3448ce3999a60440baaa72
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: jline:jline:2.12  Confidence:Highest

spring-aop-2.5.6.SEC03.jar

Description:

 Spring Framework: AOP

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\springframework\spring-aop\2.5.6.SEC03\spring-aop-2.5.6.SEC03.jar
MD5: 234953c77588fcd130a9403700bf93b7
SHA1: 6468695557500723a18630b712ce112ec58827c1
SHA256:0eeb6610b4bcc62ceba4acc73869552044c913d995d8d6fdb31a3c45fc42af54
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:pivotal_software:spring_framework:2.5.6.sec03  Confidence:Low  
  • cpe: cpe:/a:springsource:spring_framework:2.5.6.sec03  Confidence:Low  
  • cpe: cpe:/a:pivotal:spring_framework:2.5.6.sec03  Confidence:Low  
  • maven: org.springframework:spring-aop:2.5.6.SEC03  Confidence:Highest
  • cpe: cpe:/a:vmware:springsource_spring_framework:2.5.6.sec03  Confidence:Low  

CVE-2011-2730  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."

Vulnerable Software & Versions: (show all)

CVE-2013-4152  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2013-6429  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Vulnerable Software & Versions: (show all)

CVE-2014-1904  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

xpp3-1.1.4c.jar

Description:

 MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4+.

License:

Indiana University Extreme! Lab Software License, vesion 1.1.1: http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt
Public Domain: http://creativecommons.org/licenses/publicdomain
Apache Software License, version 1.1: http://www.apache.org/licenses/LICENSE-1.1
File Path: C:\Users\Queue\.m2\repository\xpp3\xpp3\1.1.4c\xpp3-1.1.4c.jar
MD5: 6e3c39f391e4994888b7d0030f775804
SHA1: 9b988ea84b9e4e9f1874e390ce099b8ac12cfff5
SHA256:0341395a481bb887803957145a6a37879853dd625e9244c2ea2509d9bb7531b9
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: xpp3:xpp3:1.1.4c  Confidence:Highest

jstl-1.1.0.jar

File Path: C:\Users\Queue\.m2\repository\javax\servlet\jstl\1.1.0\jstl-1.1.0.jar
MD5: ecc36a63c16bb2195198d24f2b803804
SHA1: bca201e52333629c59e459e874e5ecd8f9899e15
SHA256:adfc9894216d74165da7c808db5948b13d7e8c3f540eddc8217e9f2b63e8dfa4
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: javax.servlet:jstl:1.1.0  Confidence:Highest

txw2-20110809.jar

File Path: C:\Users\Queue\.m2\repository\com\sun\xml\txw2\txw2\20110809\txw2-20110809.jar
MD5: 67aa3d67701de0b808ff606e1756c8bb
SHA1: 46afa3f3c468680875adb8f2a26086a126c89902
SHA256:3c535fd9d38ce20b8c9031086710f0e6f3175e1a638fa088b3de43e7193211d7
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.sun.xml.txw2:txw2:20110809  Confidence:Highest

stax-api-1.0-2.jar

Description:

 
    StAX is a standard XML processing API that allows you to stream XML data from and to your application.
  

License:

GNU General Public Library: http://www.gnu.org/licenses/gpl.txt
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.html
File Path: C:\Users\Queue\.m2\repository\javax\xml\stream\stax-api\1.0-2\stax-api-1.0-2.jar
MD5: 7d18b63063580284c3f5734081fdc99f
SHA1: d6337b0de8b25e53e81b922352fbea9f9f57ba0b
SHA256:e8c70ebd76f982c9582a82ef82cf6ce14a7d58a4a4dca5cb7b7fc988c80089b7
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: javax.xml.stream:stax-api:1.0-2  Confidence:Highest

relaxngDatatype-20020414.jar

File Path: C:\Users\Queue\.m2\repository\relaxngDatatype\relaxngDatatype\20020414\relaxngDatatype-20020414.jar
MD5: fd667fbdaf3190bdd8aee4e8e2d12d5c
SHA1: de7952cecd05b65e0e4370cc93fc03035175eef5
SHA256:2a2563efc911f431250214220570fac8ec3f43c3ec1e47328cee78062f81b218
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: relaxngDatatype:relaxngDatatype:20020414  Confidence:Highest

commons-collections-3.2.2.jar

Description:

 Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-collections\commons-collections\3.2.2\commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:commons_collections:3.2.2  Confidence:Low  
  • maven: commons-collections:commons-collections:3.2.2  Confidence:Highest

winp-1.25.jar

Description:

 Kill process tree in Windows

License:

The MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\org\jvnet\winp\winp\1.25\winp-1.25.jar
MD5: b8a1845d1d709a86a2b9c0a08a92c1ad
SHA1: 1c88889f80c0e03a7fb62c26b706d68813f8e657
SHA256:8ec5e0f096ad547c90ff23d1188a1a270373b98b39f08c77355c46112a964d8d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet.winp:winp:1.25  Confidence:Highest

memory-monitor-1.9.jar

Description:

 Code for monitoring memory/swap usage

License:

MIT: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\memory-monitor\1.9\memory-monitor-1.9.jar
MD5: 69b97d9079f500cfaadd5bc8659dff68
SHA1: 1935bfb46474e3043ee2310a9bb790d42dde2ed7
SHA256:a57d4df8227dce7605be1514ba385859847bbc172dcade1e3439dc9b5e92399a
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:memory-monitor:1.9  Confidence:Highest
  • cpe: cpe:/a:jenkins:jenkins:1.9  Confidence:Low  

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

wstx-asl-3.2.9.jar

Description:

 Woodstox is a high-performance XML processor that implements Stax (JSR-173) API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\codehaus\woodstox\wstx-asl\3.2.9\wstx-asl-3.2.9.jar
MD5: 8cb7d88faca2da5a3f9a3c50eee1fc3b
SHA1: c82b6e8f225bb799540e558b10ee24d268035597
SHA256:fcfe0265682f49b40a81073959c7fc6d57efda8c86ccf3bc6700d884411b1271
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.codehaus.woodstox:wstx-asl:3.2.9  Confidence:Highest

stax-api-1.0.1.jar

Description:

 StAX API is the standard java XML processing API defined by JSR-173

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\stax\stax-api\1.0.1\stax-api-1.0.1.jar
MD5: 7d436a53c64490bee564c576babb36b4
SHA1: 49c100caf72d658aca8e58bd74a4ba90fa2b0d70
SHA256:d1968436fc216c901fb9b82c7e878b50fd1d30091676da95b2edd3a9c0ccf92e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: stax:stax-api:1.0.1  Confidence:Highest

jmdns-3.4.0-jenkins-3.jar

Description:

 
    Multi-cast DNS implementation for Java.
  

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\jmdns\3.4.0-jenkins-3\jmdns-3.4.0-jenkins-3.jar
MD5: d01f9778ef41fe79ad93ea57c27d0573
SHA1: 264d0c402b48c365f34d072b864ed57f25e92e63
SHA256:a1fe04e60bdbe39271607ef926374028e7779d60134b23ecb2e0c7064adbd310
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jenkins-ci:jmdns:3.4.0-jenkins-3  Confidence:Highest

jna-4.2.1.jar

Description:

 Java Native Access

License:

LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html
ASL, version 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\net\java\dev\jna\jna\4.2.1\jna-4.2.1.jar
MD5: 8d536ddbe44d1500d262960891911f91
SHA1: fcc5b10cb812c41b00708e7b57baccc3aee5567c
SHA256:edc2a2c4f9b0b55fdc66aef3c9a9ddfff97e4b892842d4c0e1bc6eaff704abcb
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: net.java.dev.jna:jna:4.2.1  Confidence:Highest

akuma-1.10.jar

License:

MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\akuma\1.10\akuma-1.10.jar
MD5: 0e6b6d5177056308682c9e8dfec7232a
SHA1: 0e2c6a1f79f17e3fab13332ab8e9b9016eeab0b6
SHA256:8b06426d76aea70f7a6f3161f1522852152cbb692ca0a8b02860d705a908b61d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke:akuma:1.10  Confidence:Highest

libpam4j-1.8.jar

License:

The MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\libpam4j\1.8\libpam4j-1.8.jar
MD5: a8e0d0c46b9a1b74f7128ed520001dcf
SHA1: 548d4a1177adad8242fe03a6930c335669d669ad
SHA256:9ea7647850da016dfe31f65b86ffba2792b0631816f7b4d96706bbc57a02b88f
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

CVE-2017-12197  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

It was found that libpam4j up to and including 1.8 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.

Vulnerable Software & Versions:

libzfs-0.8.jar

Description:

 libzfs for Java

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE: http://www.opensource.org/licenses/cddl1.txt
File Path: C:\Users\Queue\.m2\repository\org\kohsuke\libzfs\0.8\libzfs-0.8.jar
MD5: e8ade68aa616dbdba85bb8e8944d0f07
SHA1: 5bb311276283921f7e1082c348c0253b17922dcc
SHA256:97a3eb647e59887005f9c7d8c12f960fe806f387ca67ef997692be4ff63b8165
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke:libzfs:0.8  Confidence:Highest

embedded_su4j-1.1.jar

License:

MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\com\sun\solaris\embedded_su4j\1.1\embedded_su4j-1.1.jar
MD5: 754ab27a4bc4f2409d6cd9652f3ae3e0
SHA1: 9404130cc4e60670429f1ab8dbf94d669012725d
SHA256:5ff5075959efd9c55296c8cfc6122ca3bdfd58cdc350ff12ff2659b260f7803e
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.sun.solaris:embedded_su4j:1.1  Confidence:Highest

sezpoz-1.12.jar

File Path: C:\Users\Queue\.m2\repository\net\java\sezpoz\sezpoz\1.12\sezpoz-1.12.jar
MD5: 39e86acbd7fc7ba62120a7de78ab6d9c
SHA1: 01f7e4a04e06fdbc91d66ddf80c443c3f7c6503c
SHA256:8961dc98b9eb5d7038c098fff56e9739668c0e87fa1730fa0af15b9be5bd917c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: net.java.sezpoz:sezpoz:1.12  Confidence:Highest

j-interop-2.0.6-kohsuke-1.jar

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\jinterop\j-interop\2.0.6-kohsuke-1\j-interop-2.0.6-kohsuke-1.jar
MD5: cf88331453c9050f0b2f058ec0baaeaa
SHA1: b2e243227608c1424ab0084564dc71659d273007
SHA256:994401c68a150bffe65718da044e57d1ba98e6266b7f0218b2968a14774fa477
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.jinterop:j-interop:2.0.6-kohsuke-1  Confidence:Highest

j-interopdeps-2.0.6-kohsuke-1.jar

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\jinterop\j-interopdeps\2.0.6-kohsuke-1\j-interopdeps-2.0.6-kohsuke-1.jar
MD5: a17335569fd2765c000e9d76116b0da9
SHA1: 778400517a3419ce8c361498c194036534851736
SHA256:b091c448eb7e14e44d62c7869bace267210c20d387c49f61f68a1d068abf3ea9
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke.jinterop:j-interopdeps:2.0.6-kohsuke-1  Confidence:Highest

jcifs-1.2.19.jar

Description:

 JCIFS is an Open Source client library that implements the CIFS/SMB networking protocol in 100% Java

License:

GNU Lesser General Public License, version 2.1: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt
File Path: C:\Users\Queue\.m2\repository\org\samba\jcifs\jcifs\1.2.19\jcifs-1.2.19.jar
MD5: bcaefdc4b6521ea530ec129811f363c8
SHA1: 333384030132b83c87943b5a03c8b4b307738ffa
SHA256:12a68e5ac15ae74f917bb59b13cd7f98da0c3e3866ca75f5995557903b80c782
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.samba.jcifs:jcifs:1.2.19  Confidence:Highest

robust-http-client-1.2.jar

Description:

 InputStream that hides automatic download retry

License:

MIT license: http://www.opensource.org/licenses/mit-license.php
File Path: C:\Users\Queue\.m2\repository\org\jvnet\robust-http-client\robust-http-client\1.2\robust-http-client-1.2.jar
MD5: 33f540df15bd4a3324654a7a902207a2
SHA1: dee9fda92ad39a94a77ec6cf88300d4dd6db8a4d
SHA256:015fc9ea5bbf8da691aabd5ce14429627734dcaef9d8513834dd8885f2b79df1
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jvnet.robust-http-client:robust-http-client:1.2  Confidence:Highest

symbol-annotation-1.1.jar

License:

MIT License: http://opensource.org/licenses/MIT
File Path: C:\Users\Queue\.m2\repository\org\jenkins-ci\symbol-annotation\1.1\symbol-annotation-1.1.jar
MD5: aa7a9f9142f670bbcad1b906bca7c849
SHA1: 14fe06e7287a8aff81434a2fe8226744183fe955
SHA256:88ffb7b93d2fcff190cdb7fd56a4dbe933eb78ea63cff0aa12f92974aa527715
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:jenkins:jenkins:1.1  Confidence:Low  
  • maven: org.jenkins-ci:symbol-annotation:1.1  Confidence:Highest

CVE-2011-4344  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Vulnerable Software & Versions: (show all)

CVE-2012-6072  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6073  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2012-6074  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0158  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0327  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0328  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0329  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.

Vulnerable Software & Versions: (show all)

CVE-2013-0331  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.

Vulnerable Software & Versions: (show all)

CVE-2013-7330  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.

Vulnerable Software & Versions:

CVE-2014-2058  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7330.

Vulnerable Software & Versions: (show all)

CVE-2014-2059  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in the CLI job creation (hudson/cli/CreateJobCommand.java) in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to overwrite arbitrary files via the job name.

Vulnerable Software & Versions: (show all)

CVE-2014-2060  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2061  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

Vulnerable Software & Versions: (show all)

CVE-2014-2062  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

Vulnerable Software & Versions: (show all)

CVE-2014-2063  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-2064  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-2065  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

Vulnerable Software & Versions: (show all)

CVE-2014-2066  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

Vulnerable Software & Versions: (show all)

CVE-2014-2067  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in java/hudson/model/Cause.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to inject arbitrary web script or HTML via a "remote cause note."

Vulnerable Software & Versions: (show all)

CVE-2014-2068  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.

Vulnerable Software & Versions: (show all)

CVE-2014-3661  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.

Vulnerable Software & Versions: (show all)

CVE-2014-3662  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-3663  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3664  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-3665  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave.

Vulnerable Software & Versions: (show all)

CVE-2014-3666  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.

Vulnerable Software & Versions: (show all)

CVE-2014-3667  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

Vulnerable Software & Versions: (show all)

CVE-2014-3680  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

Vulnerable Software & Versions: (show all)

CVE-2014-3681  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2014-9634  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

Vulnerable Software & Versions:

CVE-2014-9635  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Vulnerable Software & Versions:

CVE-2015-1806  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-1807  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-1808  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data.

Vulnerable Software & Versions: (show all)

CVE-2015-1810  

Severity:Medium
CVSS Score: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HudsonPrivateSecurityRealm class in Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the "Jenkins' own user database" setting, which allows remote attackers to gain privileges by creating a reserved name.

Vulnerable Software & Versions: (show all)

CVE-2015-1812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813.

Vulnerable Software & Versions: (show all)

CVE-2015-1813  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.

Vulnerable Software & Versions: (show all)

CVE-2015-1814  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The API token-issuing service in Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a "forced API token change" involving anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2015-5317  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.

Vulnerable Software & Versions: (show all)

CVE-2015-5318  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.

Vulnerable Software & Versions: (show all)

CVE-2015-5319  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration that is then used in an "XML-aware tool," as demonstrated by get-job and update-job.

Vulnerable Software & Versions: (show all)

CVE-2015-5320  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.638 and LTS before 1.625.2 do not properly verify the shared secret used in JNLP slave connections, which allows remote attackers to connect as slaves and obtain sensitive information or possibly gain administrative access by leveraging knowledge of the name of a slave.

Vulnerable Software & Versions: (show all)

CVE-2015-5321  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The sidepanel widgets in the CLI command overview and help pages in Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to the pages.

Vulnerable Software & Versions: (show all)

CVE-2015-5322  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to list directory contents and read arbitrary files in the Jenkins servlet resources via directory traversal sequences in a request to jnlpJars/.

Vulnerable Software & Versions: (show all)

CVE-2015-5323  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.

Vulnerable Software & Versions: (show all)

CVE-2015-5324  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

Vulnerable Software & Versions: (show all)

CVE-2015-5325  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Jenkins before 1.638 and LTS before 1.625.2 allow attackers to bypass intended slave-to-master access restrictions by leveraging a JNLP slave. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3665.

Vulnerable Software & Versions: (show all)

CVE-2015-5326  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the slave overview page in Jenkins before 1.638 and LTS before 1.625.2 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the slave offline status message.

Vulnerable Software & Versions: (show all)

CVE-2015-7536  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.

Vulnerable Software & Versions: (show all)

CVE-2015-7537  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.

Vulnerable Software & Versions: (show all)

CVE-2015-7538  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2015-7539  

Severity:High
CVSS Score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Vulnerable Software & Versions: (show all)

CVE-2015-8103  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

Vulnerable Software & Versions: (show all)

CVE-2016-0788  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.

Vulnerable Software & Versions: (show all)

CVE-2016-0789  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-0790  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

Vulnerable Software & Versions: (show all)

CVE-2016-0792  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

Vulnerable Software & Versions: (show all)

CVE-2016-3721  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-17

Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

Vulnerable Software & Versions: (show all)

CVE-2016-3722  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

Vulnerable Software & Versions: (show all)

CVE-2016-3723  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

Vulnerable Software & Versions: (show all)

CVE-2016-3724  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

Vulnerable Software & Versions: (show all)

CVE-2016-3725  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

Vulnerable Software & Versions: (show all)

CVE-2016-3726  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Multiple open redirect vulnerabilities in Jenkins before 2.3 and LTS before 1.651.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors related to "scheme-relative" URLs.

Vulnerable Software & Versions: (show all)

CVE-2016-3727  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The API URL computer/(master)/api/xml in Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-9299  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

Vulnerable Software & Versions: (show all)

CVE-2017-1000353  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

Vulnerable Software & Versions: (show all)

CVE-2017-1000354  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance.

Vulnerable Software & Versions: (show all)

CVE-2017-1000355  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.

Vulnerable Software & Versions: (show all)

CVE-2017-1000356  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.

Vulnerable Software & Versions: (show all)

CVE-2017-1000362  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Vulnerable Software & Versions:

CVE-2017-1000391  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metadata related to 'people', which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping, potentially resulting in problems like overwriting of unrelated configuration files.

Vulnerable Software & Versions: (show all)

CVE-2017-1000392  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters.

Vulnerable Software & Versions: (show all)

CVE-2017-1000393  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Vulnerable Software & Versions: (show all)

CVE-2017-1000394  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-fileupload library with the denial-of-service vulnerability known as CVE-2016-3092. The fix for that vulnerability has been backported to the version of the library bundled with Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000395  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jenkins 2.73.1 and earlier, 2.83 and earlier provides information about Jenkins user accounts which is generally available to anyone with Overall/Read permissions via the /user/(username)/api remote API. This included e.g. Jenkins users' email addresses if the Mailer Plugin is installed. The remote API now no longer includes information beyond the most basic (user ID and name) unless the user requesting it is a Jenkins administrator.

Vulnerable Software & Versions: (show all)

CVE-2017-1000396  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-295 Improper Certificate Validation

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Vulnerable Software & Versions: (show all)

CVE-2017-1000398  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /computer/(agent-name)/api showed information about tasks (typically builds) currently running on that agent. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only shows information about accessible tasks.

Vulnerable Software & Versions: (show all)

CVE-2017-1000399  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/item/(ID)/api showed information about tasks in the queue (typically builds waiting to start). This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API endpoint is now only available for tasks that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000400  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-275 Permission Issues

The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(job-name)/api contained information about upstream and downstream projects. This included information about tasks that the current user otherwise has no access to, e.g. due to lack of Item/Read permission. This has been fixed, and the API now only lists upstream and downstream projects that the current user has access to.

Vulnerable Software & Versions: (show all)

CVE-2017-1000401  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for <f:password/> is now always sent via POST, which is typically not logged.

Vulnerable Software & Versions: (show all)

CVE-2017-1000504  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective.

Vulnerable Software & Versions: (show all)

CVE-2017-17383  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624.

Vulnerable Software & Versions:

CVE-2017-2608  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).

Vulnerable Software & Versions: (show all)

CVE-2018-1000067  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.

Vulnerable Software & Versions: (show all)

CVE-2018-1000068  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.

Vulnerable Software & Versions: (show all)

CVE-2018-1000169  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

An exposure of sensitive information vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in CLICommand.java and ViewOptionHandler.java that allows unauthorized attackers to confirm the existence of agents or views with an attacker-specified name by sending a CLI command to Jenkins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000170  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1000192  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

Vulnerable Software & Versions: (show all)

CVE-2018-1000193  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-19 Data Processing Errors

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

Vulnerable Software & Versions: (show all)

CVE-2018-1000194  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

Vulnerable Software & Versions: (show all)

CVE-2018-1000195  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

Vulnerable Software & Versions: (show all)

CVE-2018-1999001  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

A unauthorized modification of configuration vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

Vulnerable Software & Versions: (show all)

CVE-2018-1999002  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

Vulnerable Software & Versions: (show all)

CVE-2018-1999003  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

Vulnerable Software & Versions: (show all)

CVE-2018-1999004  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-285 Improper Authorization

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

Vulnerable Software & Versions: (show all)

CVE-2018-1999005  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Vulnerable Software & Versions: (show all)

CVE-2018-1999006  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

Vulnerable Software & Versions: (show all)

CVE-2018-1999007  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTP 404 error pages while Stapler debug mode is enabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999042  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-502 Deserialization of Untrusted Data

A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1999043  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

Vulnerable Software & Versions: (show all)

CVE-2018-1999044  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

Vulnerable Software & Versions: (show all)

CVE-2018-1999045  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

Vulnerable Software & Versions: (show all)

CVE-2018-1999046  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent.

Vulnerable Software & Versions: (show all)

CVE-2018-1999047  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-275 Permission Issues

A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

Vulnerable Software & Versions: (show all)

commons-codec-1.8.jar

Description:

 
     The codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-codec\commons-codec\1.8\commons-codec-1.8.jar
MD5: b87aa66fe75685c82d082e750ab51b2e
SHA1: af3be3f74d25fc5163b54f56a0d394b462dafafd
SHA256:599b40b94b4a39c2550a4b5106df071aa03199b71ad5423207e2e7356aa4f8bb
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-codec:commons-codec:1.8  Confidence:Highest

access-modifier-annotation-1.11.jar

File Path: C:\Users\Queue\.m2\repository\org\kohsuke\access-modifier-annotation\1.11\access-modifier-annotation-1.11.jar
MD5: e36f64c0a97b5f5bfd25d6ad295d0d17
SHA1: d1ca3a10d8be91d1525f51dbc6a3c7644e0fc6ea
SHA256:17a7bcfadbd43a669edd46b8e6f6c421d3a00d58d1d711ee9efda5b30ff47073
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.kohsuke:access-modifier-annotation:1.11  Confidence:Highest

commons-fileupload-1.3.1-jenkins-2.jar

Description:

 
    The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
    file upload functionality to servlets and web applications.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-fileupload\commons-fileupload\1.3.1-jenkins-2\commons-fileupload-1.3.1-jenkins-2.jar
MD5: 020a900f407ad3bf41a940df9e9fabab
SHA1: 297d1dc0a3cbdd3e125f4d506c2b73a105e6cd30
SHA256:120fe95f98a345f2e6c04fcd266dea40e1ddab099256f2f5b344ca2a05a6e68f
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

CVE-2016-1000031  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

Vulnerable Software & Versions:

CVE-2016-3092  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Vulnerable Software & Versions: (show all)

guava-11.0.1.jar

Description:

 
    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    This project is a complete packaging of all the Guava libraries
    into a single jar.  Individual portions of Guava can be used
    by downloading the appropriate module and its dependencies.

    Guava (complete) has only one code dependency - javax.annotation,
    per the JSR-305 spec.
  

File Path: C:\Users\Queue\.m2\repository\com\google\guava\guava\11.0.1\guava-11.0.1.jar
MD5: 69a3d06554ebc3027c9432509a67ede2
SHA1: 57b40a943725d43610c898ac0169adf1b2d55742
SHA256:aa7cef9d2ba0110a2db7be0fb6e679cd71f6a26fc3ba9da7715f41d3300def1d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

CVE-2018-10237  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Vulnerable Software & Versions: (show all)

commons-cli-1.2.jar

Description:

 
    Commons CLI provides a simple API for presenting, processing and validating a command line interface.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-cli\commons-cli\1.2\commons-cli-1.2.jar
MD5: bfdcae1ff93f0c07d733f03bdce28c9e
SHA1: 2bf96b7aa8b611c177d329452af1dc933e14501c
SHA256:e7cd8951956d349b568b7ccfd4f5b2529a8c113e67c32b028f52ffda371259d9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-cli:commons-cli:1.2  Confidence:Highest

commons-math3-3.1.1.jar

Description:

 The Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\commons\commons-math3\3.1.1\commons-math3-3.1.1.jar
MD5: 505ece0d2261b037101e6c4bdf541ca7
SHA1: 6719d757a98ff24a83d9d727bef9cec83f59b6e1
SHA256:a07e39d31c46032879f0a48ae1bd0142b17dd67664c008b50216e9891f346c54
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.commons:commons-math3:3.1.1  Confidence:Highest

commons-net-3.6.jar

Description:

 
Apache Commons Net library contains a collection of network utilities and protocol implementations.
Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois
    

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\commons-net\commons-net\3.6\commons-net-3.6.jar
MD5: b46661b01cc7aeec501f1cd3775509f1
SHA1: b71de00508dcb078d2b24b5fa7e538636de9b3da
SHA256:d3b3866c61a47ba3bf040ab98e60c3010d027da0e7a99e1755e407dd47bc2702
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-net:commons-net:3.6  Confidence:Highest

javax.servlet-api-3.1.0.jar

Description:

 Java(TM) Servlet 3.1 API Design Specification

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: C:\Users\Queue\.m2\repository\javax\servlet\javax.servlet-api\3.1.0\javax.servlet-api-3.1.0.jar
MD5: 79de69e9f5ed8c7fcb8342585732bbf7
SHA1: 3cd63d075497751784b2fa84be59432f4905bf7c
SHA256:af456b2dd41c4e82cf54f3e743bc678973d9fe35bd4d3071fa05c7e5333b8482
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: javax.servlet:javax.servlet-api:3.1.0  Confidence:Highest

jetty-xml-9.3.19.v20170502.jar

Description:

 The jetty xml utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\jetty-xml\9.3.19.v20170502\jetty-xml-9.3.19.v20170502.jar
MD5: 9264bb375d9c6629af36a8e52ddd0698
SHA1: 022a2beb794c3f0ca1ea19683bc0f0ab5839228e
SHA256:8788021203fb4ce8ac1daf81ae11a6b6eeb800fea7e6202632d43bb0a5132b47
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.eclipse.jetty:jetty-xml:9.3.19.v20170502  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.3.19.v20170502  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.3.19  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

jsp-api-2.1.jar

File Path: C:\Users\Queue\.m2\repository\javax\servlet\jsp\jsp-api\2.1\jsp-api-2.1.jar
MD5: b8a34113a3a1ce29c8c60d7141f5a704
SHA1: 63f943103f250ef1f3a4d5e94d145a0f961f5316
SHA256:545f4e7dc678ffb4cf8bd0fd40b4a4470a409a787c0ea7d0ad2f08d56112987b
Referenced In Project/Scope:DependencyCheck:runtime

Identifiers

  • maven: javax.servlet.jsp:jsp-api:2.1  Confidence:Highest

jersey-core-1.19.jar

Description:

 Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\com\sun\jersey\jersey-core\1.19\jersey-core-1.19.jar
MD5: cdb4aea66737c70300be021a8ea50986
SHA1: 9a0619e2c514a79b610f17cadaae619c0a08d6a6
SHA256:5d1841b925fad033c836d911573457c96608cdd99c30c084f61b091aff8aa698
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.sun.jersey:jersey-core:1.19  Confidence:Highest

jsr311-api-1.1.1.jar

License:

                CDDL License
            : http://www.opensource.org/licenses/cddl1.php
File Path: C:\Users\Queue\.m2\repository\javax\ws\rs\jsr311-api\1.1.1\jsr311-api-1.1.1.jar
MD5: c9803468299ec255c047a280ddec510f
SHA1: 59033da2a1afd56af1ac576750a8d0b1830d59e6
SHA256:ab1534b73b5fa055808e6598a5e73b599ccda28c3159c3c0908977809422ee4a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: javax.ws.rs:jsr311-api:1.1.1  Confidence:Highest

jersey-servlet-1.19.jar

Description:

 Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\com\sun\jersey\jersey-servlet\1.19\jersey-servlet-1.19.jar
MD5: 49ff74d5db51842561630d6bdf013d45
SHA1: 2f19f1f7096d0fe3e09ae5698e4427114c23ad03
SHA256:e7c086c51aa6be9e260ea6574d4608e7c252648a1dec5bc15f096a8626099709
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.sun.jersey:jersey-servlet:1.19  Confidence:Highest

jersey-json-1.19.jar

Description:

 Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\com\sun\jersey\jersey-json\1.19\jersey-json-1.19.jar
MD5: 34b0b65ae38159c4d74ffbfc09e467e1
SHA1: 12491ab748d2bee7be96629a749f361154e6705f
SHA256:ffa5388870b68cebd5a93464f0d8e75f325aa7cb179ae069bea0f12d0fb0d534
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.sun.jersey:jersey-json:1.19  Confidence:Highest

jettison-1.1.jar

Description:

 A StAX implementation for JSON.

File Path: C:\Users\Queue\.m2\repository\org\codehaus\jettison\jettison\1.1\jettison-1.1.jar
MD5: fc80e0aabd516c54739262c3d618303a
SHA1: 1a01a2a1218fcf9faa2cc2a6ced025bdea687262
SHA256:377940288b0643c48780137f6f68578937e1ea5ca2b73830a820c50a7b7ed801
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.codehaus.jettison:jettison:1.1  Confidence:Highest

jackson-core-asl-1.9.2.jar

Description:

 Jackson is a high-performance JSON processor (parser, generator)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\codehaus\jackson\jackson-core-asl\1.9.2\jackson-core-asl-1.9.2.jar
MD5: 3a569b4b918f23392e63028b896cb9c4
SHA1: 8493982bba1727106d767034bd0d8e77bc1931a9
SHA256:ce1e6476ef99566f90706045be5e190769fc60d8ba2fd2c3b54c905775240148
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:fasterxml:jackson:1.9.2  Confidence:Low  
  • maven: org.codehaus.jackson:jackson-core-asl:1.9.2  Confidence:Highest

jersey-server-1.19.jar

Description:

 Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311)        production quality Reference Implementation for building        RESTful Web services.

License:

http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: C:\Users\Queue\.m2\repository\com\sun\jersey\jersey-server\1.19\jersey-server-1.19.jar
MD5: 20d340d5e608d4b2d3701d6b411a593b
SHA1: ee2ff839a65097eb12004edd909bcb4a97a2832c
SHA256:433248a5c9990a59f8f442f10a8090ef25dadfe1a0d492efd4ce1e35b24d3e1c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.sun.jersey:jersey-server:1.19  Confidence:Highest

log4j-1.2.17.jar

Description:

 Apache Log4j 1.2

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\log4j\log4j\1.2.17\log4j-1.2.17.jar
MD5: 04a41f0a068986f0f73485cf507c0f40
SHA1: 5af35056b4d257e4b64b9e8069c0746e8b08629f
SHA256:1d31696445697720527091754369082a6651bd49781b6005deb94e56753406f9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:apache:log4j:1.2.17  Confidence:Low  
  • maven: log4j:log4j:1.2.17  Confidence:Highest

commons-configuration2-2.1.1.jar

Description:

 
        Tools to assist in the reading of configuration/preferences files in
        various formats
    

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\commons\commons-configuration2\2.1.1\commons-configuration2-2.1.1.jar
MD5: 6c070e57bcd44ed93994f5a33102c277
SHA1: d97d5b3f8b58c52730d47e1a63c8d3258f41ca6c
SHA256:6471f4c4fb666960eba889b768164670097022d3084018affea555e6bf8d3d79
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.commons:commons-configuration2:2.1.1  Confidence:Highest

commons-lang3-3.4.jar

Description:

 
  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\commons\commons-lang3\3.4\commons-lang3-3.4.jar
MD5: 8667a442ee77e509fbe8176b94726eb2
SHA1: 5fe28b9518e58819180a43a850fbc0dd24b7c050
SHA256:734c8356420cc8e30c795d64fd1fcd5d44ea9d90342a2cc3262c5158fbc6d98b
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.commons:commons-lang3:3.4  Confidence:Highest

slf4j-log4j12-1.7.25.jar

Description:

 SLF4J LOG4J-12 Binding

File Path: C:\Users\Queue\.m2\repository\org\slf4j\slf4j-log4j12\1.7.25\slf4j-log4j12-1.7.25.jar
MD5: 7f16ba3b1ab6a781c3f6887eae7b608d
SHA1: 110cefe2df103412849d72ef7a67e4e91e4266b4
SHA256:ddb343954deb6f046f862606c534178730c02ed23d0b7f6ca1012c1e3fa74273
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.slf4j:slf4j-log4j12:1.7.25  Confidence:Highest
  • cpe: cpe:/a:slf4j:slf4j:1.7.25  Confidence:Low  

avro-1.7.7.jar

Description:

 Avro core components

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\avro\avro\1.7.7\avro-1.7.7.jar
MD5: e910e3a3bad0181b1e2e55856cf3ce83
SHA1: 3548c0bc136e71006f3fc34e22d34a29e5069e50
SHA256:5ba0a81f4b0769122b6045b98bb9bbba5f2c69dbf736a6cc7ca4eb603c337487
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.avro:avro:1.7.7  Confidence:Highest

paranamer-2.3.jar

File Path: C:\Users\Queue\.m2\repository\com\thoughtworks\paranamer\paranamer\2.3\paranamer-2.3.jar
MD5: e3060bebfe449abeb277e77c4c3388cb
SHA1: 4a85963a752c0a2f715c3924bfc686865e7e1bc6
SHA256:e93f50ae4d0de11080677f44ab268691266fed2b3ff7bc6fd97636febae7d8fe
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.thoughtworks.paranamer:paranamer:2.3  Confidence:Highest

re2j-1.1.jar

License:

The Go license: https://golang.org/LICENSE
File Path: C:\Users\Queue\.m2\repository\com\google\re2j\re2j\1.1\re2j-1.1.jar
MD5: 229a629b4c09765733de88569f7c7f59
SHA1: d716952ab58aa4369ea15126505a36544d50a333
SHA256:24ada84d1b5de584e3e84b06f0c7dd562cee6eafe8dea8083bd8eb123823bbe7
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.google.re2j:re2j:1.1  Confidence:Highest

gson-2.2.4.jar

Description:

 Google Gson library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\google\code\gson\gson\2.2.4\gson-2.2.4.jar
MD5: 2f54fc24807a4cad7297012dd8cebf3d
SHA1: a60a5e993c98c864010053cb901b7eab25306568
SHA256:c0328cd07ca9e363a5acd00c1cf4afe8cf554bd6d373834981ba05cebec687fb
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.google.code.gson:gson:2.2.4  Confidence:Highest

hadoop-auth-3.1.1.jar

Description:

 Apache Hadoop Auth - Java HTTP SPNEGO

File Path: C:\Users\Queue\.m2\repository\org\apache\hadoop\hadoop-auth\3.1.1\hadoop-auth-3.1.1.jar
MD5: f4d1a978343dba4f4eed3c87ec83fe53
SHA1: e905dc16e6cf907d4146c677dbcc80d1721ddd82
SHA256:462aa81711a2d8e76e8233a2748488f830018fedb76fcaa664c032714f123442
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.hadoop:hadoop-auth:3.1.1  Confidence:Highest
  • cpe: cpe:/a:apache:hadoop:3.1.1  Confidence:Low  

nimbus-jose-jwt-4.41.1.jar

Description:

 
        Java library for Javascript Object Signing and Encryption (JOSE) and
        JSON Web Tokens (JWT)
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\nimbusds\nimbus-jose-jwt\4.41.1\nimbus-jose-jwt-4.41.1.jar
MD5: f76e8b17905ac85ed41e9a2db92aea99
SHA1: 0290f3ff0035bb2f839c77ad8ec39466f31091a8
SHA256:fbfd0d5f2b2f86758b821daa5e79b5d7c965edd9dc1b2cc80b515df1c6ddc22d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.nimbusds:nimbus-jose-jwt:4.41.1  Confidence:Highest
  • cpe: cpe:/a:connect2id:nimbus_jose+jwt:4.41.1  Confidence:Low  

jcip-annotations-1.0-1.jar

Description:

 
    A clean room implementation of the JCIP Annotations based entirely on the specification provided by the javadocs.
  

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\github\stephenc\jcip\jcip-annotations\1.0-1\jcip-annotations-1.0-1.jar
MD5: d62dbfa8789378457ada685e2f614846
SHA1: ef31541dd28ae2cefdd17c7ebf352d93e9058c63
SHA256:4fccff8382aafc589962c4edb262f6aa595e34f1e11e61057d1c6a96e8fc7323
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.github.stephenc.jcip:jcip-annotations:1.0-1  Confidence:Highest

json-smart-2.3.jar

Description:

 
        JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\net\minidev\json-smart\2.3\json-smart-2.3.jar
MD5: f2a921d4baaa7308de04eed4d8d72715
SHA1: 007396407491352ce4fa30de92efb158adb76b5b
SHA256:903f48c8aa4c3f6426440b8d32de89fa1dc23b1169abde25e4e1d068aa67708b
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: net.minidev:json-smart:2.3  Confidence:Highest

accessors-smart-1.2.jar

Description:

 Java reflect give poor performance on getter setter an constructor calls, accessors-smart use ASM to speed up those calls.
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\net\minidev\accessors-smart\1.2\accessors-smart-1.2.jar
MD5: c28b871d258b4d347559d2eb7ecec4a3
SHA1: c592b500269bfde36096641b01238a8350f8aa31
SHA256:0c7c265d62fc007124dc32b91336e9c4272651d629bc5fa1a4e4e3bc758eb2e4
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: net.minidev:accessors-smart:1.2  Confidence:Highest

curator-framework-2.12.0.jar

Description:

 High-level API that greatly simplifies using ZooKeeper.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\curator\curator-framework\2.12.0\curator-framework-2.12.0.jar
MD5: 100b1a15c67622ac7917db7139378fc9
SHA1: fd8ffa050e7c7606dfe7dfb82d2944d8e5f1d0a3
SHA256:8c5e2ccdd94088f7db3669b8183345d88c6d3dca931542a39fe15304a3c1b278
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.curator:curator-framework:2.12.0  Confidence:Highest
  • cpe: cpe:/a:apache:zookeeper:2.12.0  Confidence:Low  

CVE-2016-5017  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.

Vulnerable Software & Versions: (show all)

CVE-2018-8012  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

Vulnerable Software & Versions: (show all)

curator-client-2.12.0.jar

Description:

 Low-level API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\curator\curator-client\2.12.0\curator-client-2.12.0.jar
MD5: 11583510bba70e69546594b93b1d6266
SHA1: 450fb6ec9fbd7f5e2c099be80e0473e4f06d994e
SHA256:683c5410fba7fe622f2aec6cfaff335838204d5bcd569157a548e3c1506c16aa
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.curator:curator-client:2.12.0  Confidence:Highest

curator-recipes-2.12.0.jar

Description:

 All of the recipes listed on the ZooKeeper recipes doc (except two phase commit).

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\apache\curator\curator-recipes\2.12.0\curator-recipes-2.12.0.jar
MD5: f6d17022058ef9ddbee118b1f54c442f
SHA1: 6903f92106c900a6bdf814067d257eaf0c4007c4
SHA256:4166d93e88c3a7bbc890e21cb927108d6efc9435c57fb5ceac9665e17fbccec2
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.curator:curator-recipes:2.12.0  Confidence:Highest

jsr305-3.0.0.jar

Description:

 JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\com\google\code\findbugs\jsr305\3.0.0\jsr305-3.0.0.jar
MD5: 195d5db8981fbec5fa18d5df9fad95ed
SHA1: 5871fb60dc68d67da54a663c3fd636a10a532948
SHA256:bec0b24dcb23f9670172724826584802b80ae6cbdaba03bdebdef9327b962f6a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.google.code.findbugs:jsr305:3.0.0  Confidence:Highest

htrace-core4-4.1.0-incubating.jar

File Path: C:\Users\Queue\.m2\repository\org\apache\htrace\htrace-core4\4.1.0-incubating\htrace-core4-4.1.0-incubating.jar
MD5: 34f428e68910ea6555c79e733d433f1a
SHA1: 12b3e2adda95e8c41d9d45d33db075137871d2e2
SHA256:5d45b7904857c3e4ad36b3bcc57be2d2c5f308c69b5f6a58bd86aa7d48a25ef6
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.htrace:htrace-core4:4.1.0-incubating  Confidence:Highest

kerb-simplekdc-1.0.1.jar

Description:

 Kerb Simple Kdc

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-simplekdc\1.0.1\kerb-simplekdc-1.0.1.jar
MD5: 16517ceeb9c76a7499d8ae5b98607c8a
SHA1: 1e39adf7c3f5e87695789994b694d24c1dda5752
SHA256:9c9976a603833c001a8a4a4e5b2ea0a6775a84e5656b0eca1fe4eb4d068ceda7
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-simplekdc:1.0.1  Confidence:Highest

kerb-client-1.0.1.jar

Description:

 Kerby-kerb Client

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-client\1.0.1\kerb-client-1.0.1.jar
MD5: bf15f4b482bd784fa8b58a3f509a4d44
SHA1: a82d2503e718d17628fc9b4db411b001573f61b7
SHA256:020fa95a809b96358ab95d43666471838372659af1cbc3f24ef73c29374e9af0
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-client:1.0.1  Confidence:Highest

kerby-config-1.0.1.jar

Description:

 Kerby config library

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerby-config\1.0.1\kerby-config-1.0.1.jar
MD5: f70f90ed440cee40f4f59f9c75cd6b96
SHA1: a4c3885fa656a92508315aca9b4632197a454b18
SHA256:244520e9bd61e8cd40a475fe615fbea45ca042fc9d50780df30bc7146f77b8c9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerby-config:1.0.1  Confidence:Highest

kerb-core-1.0.1.jar

Description:

 Kerby-kerb core facilities

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-core\1.0.1\kerb-core-1.0.1.jar
MD5: 545c60f29fc4d57a1e50e3be72c88fe0
SHA1: 82357e97a5c1b505beb0f6c227d9f39b2d7fdde0
SHA256:4db26bc4a106603044d8883f7280abc803b055b36f5c510a3fffc41e5de4c651
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-core:1.0.1  Confidence:Highest

kerby-pkix-1.0.1.jar

Description:

 Kerby PKIX Project

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerby-pkix\1.0.1\kerby-pkix-1.0.1.jar
MD5: 4f99a872b054dead71460c3ed3bca6ac
SHA1: 4c1fd1f78ba7c16cf6fcd663ddad7eed34b4d911
SHA256:0410bc1950b57f4792ea6b86df59a2ee87e4ad69b33a17ded438e6686894346a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerby-pkix:1.0.1  Confidence:Highest

kerby-asn1-1.0.1.jar

Description:

 Kerby ASN1 Project

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerby-asn1\1.0.1\kerby-asn1-1.0.1.jar
MD5: 95c31186c0ec12b85bde99e286fe2f8c
SHA1: d54a9712c29c4e6d9d9ba483fad3d450be135fff
SHA256:010a3c33e5b652f11cb29a6e66826a24331e526cf58662dccb4d6695fc6ca59d
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerby-asn1:1.0.1  Confidence:Highest

kerby-util-1.0.1.jar

Description:

 Kerby common util, without any 3rd party dependency

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerby-util\1.0.1\kerby-util-1.0.1.jar
MD5: 21974b90e4e4d096b526268712dfd4cb
SHA1: 389b730dc4e454f70d72ec19ddac2528047f157e
SHA256:db7e2f329e160aaac305268ccb7287c16cf5542cffdd786a8592212df7c315aa
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerby-util:1.0.1  Confidence:Highest

kerb-common-1.0.1.jar

Description:

 Kerby-kerb Common facilities for both client and server

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-common\1.0.1\kerb-common-1.0.1.jar
MD5: 678e68224b54168f3106b5644ef6f45f
SHA1: e358016010b6355630e398db20d83925462fa4cd
SHA256:f62bb275781f8092bb6252e4ed201c9f5e4ab7a3d49b650ab58c87862b0bb2de
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-common:1.0.1  Confidence:Highest

kerb-crypto-1.0.1.jar

Description:

 Kerby-kerb Crypto facility

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-crypto\1.0.1\kerb-crypto-1.0.1.jar
MD5: 4a201fca38ffe52565f5816d7c708ccd
SHA1: 66eab4bbf91fa01ed4f72ce771db28c59d35a843
SHA256:af94527564908b5a8ccfdfa8e67dd61c09e062459a0110d85115c42fc8f82b41
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-crypto:1.0.1  Confidence:Highest

kerb-util-1.0.1.jar

Description:

 Kerby-kerb Utilities

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-util\1.0.1\kerb-util-1.0.1.jar
MD5: 424542890d4dc9f61b1754a12a1c7758
SHA1: 93d37f677addd2450b199e8da8fcac243ceb8a88
SHA256:9cb1a2715a35cbabc9e8f1be3287bb086100763847e2f17577b72a025f8adaab
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-util:1.0.1  Confidence:Highest

token-provider-1.0.1.jar

Description:

 Token provider project

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\token-provider\1.0.1\token-provider-1.0.1.jar
MD5: c9ebfeba17a28a69f33acbb5b6e831c5
SHA1: e6feb6b7c06600924e8b6bda3263c870cfb0a447
SHA256:022c92d7438b60789bc212f53f1f33ced2656ba8bf073a1f587df51e083e368a
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:token-provider:1.0.1  Confidence:Highest

kerb-admin-1.0.1.jar

Description:

 Kerby-kerb Admin facilities

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-admin\1.0.1\kerb-admin-1.0.1.jar
MD5: a673628234b00564b9d3254990348a85
SHA1: 7868b29620b92aa1040fe20d21ba09f2506207aa
SHA256:27b012f556b02bdf4ecd0742a7ecdd725a562e95a194e3413662fe2e781ff889
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-admin:1.0.1  Confidence:Highest

kerb-server-1.0.1.jar

Description:

 Kerby-kerb Server

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-server\1.0.1\kerb-server-1.0.1.jar
MD5: 0c067e61bd55c894a2ed67d25c75b323
SHA1: c56ffb4a6541864daf9868895b79c0c33427fd8c
SHA256:dff4eebc6cadaa8bdc1084fc1d4c20fda954aed74913845e79c89572768e463f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-server:1.0.1  Confidence:Highest

kerb-identity-1.0.1.jar

Description:

 Kerby-kerb Identity

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerb-identity\1.0.1\kerb-identity-1.0.1.jar
MD5: b25172596ffaa92105bae3d5f54639ff
SHA1: eb91bc9b9ff26bfcca077cf1a888fb09e8ce72be
SHA256:35fd995cc7a0c71f86adaf716dee34f6e4d1e473eff452a74f4430bd196e6424
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerb-identity:1.0.1  Confidence:Highest

kerby-xdr-1.0.1.jar

Description:

 Kerby XDR Project

File Path: C:\Users\Queue\.m2\repository\org\apache\kerby\kerby-xdr\1.0.1\kerby-xdr-1.0.1.jar
MD5: 052ad9372894a4f0ef0f7792dd7daa9a
SHA1: 7d1b5b69a5ea87fb2f62498710d9d788d17beb2b
SHA256:c24e2d9fbaef40a0a61ee36c19e41db5141bfbe7a2669be0227dee86ccca6d6f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.apache.kerby:kerby-xdr:1.0.1  Confidence:Highest

jetty-http-9.4.14.v20181114.jar

Description:

 Jetty module for Jetty :: Http Utility

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\jetty-http\9.4.14.v20181114\jetty-http-9.4.14.v20181114.jar
MD5: 4d29008e598609ad4fc4d0dec1f8e9db
SHA1: 6d0c8ac42e9894ae7b5032438eb4579c2a47f4fe
SHA256:964795275e9ea340e302845630dd441d0c4977d99c990f28537d6e834260d64f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.eclipse.jetty:jetty-http:9.4.14.v20181114  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.4.14.v20181114  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.4.14.v20181114  Confidence:Low  

jetty-io-9.4.14.v20181114.jar

Description:

 Jetty module for Jetty :: IO Utility

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\jetty-io\9.4.14.v20181114\jetty-io-9.4.14.v20181114.jar
MD5: e75cd06b5c8942686c5e3f1f0d661a03
SHA1: a8c6a705ddb9f83a75777d89b0be59fcef3f7637
SHA256:3710e8c88f99c8047ad38e4163715c1e63026f3fa586fa7727cf81b54dc420d5
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.eclipse.jetty:jetty-io:9.4.14.v20181114  Confidence:Highest

plexus-archiver-3.6.0.jar

File Path: C:\Users\Queue\.m2\repository\org\codehaus\plexus\plexus-archiver\3.6.0\plexus-archiver-3.6.0.jar
MD5: 290b456ed8f9365fe0eaeee0e0ffa272
SHA1: 1b74dd2c2f4209d227673c2a233a1db60956b8ab
SHA256:e4d5c60de429a3eb782688218a0513b6d4ad16c50fe787b4c39ff05173eff17c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:archiver_project:archiver:3.6.0  Confidence:Low  
  • maven: org.codehaus.plexus:plexus-archiver:3.6.0  Confidence:Highest

plexus-utils-3.1.0.jar

Description:

 A collection of various utility classes to ease working with strings, files, command lines, XML and
    more.
  

File Path: C:\Users\Queue\.m2\repository\org\codehaus\plexus\plexus-utils\3.1.0\plexus-utils-3.1.0.jar
MD5: bfec331a62402081dd4143e3a8d193e4
SHA1: 60eecb6f15abdb1c653ad80abaac6fe188b3feaa
SHA256:0ffa0ad084ebff5712540a7b7ea0abda487c53d3a18f78c98d1a3675dab9bf61
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.codehaus.plexus:plexus-utils:3.1.0  Confidence:Highest

plexus-io-3.0.1.jar

File Path: C:\Users\Queue\.m2\repository\org\codehaus\plexus\plexus-io\3.0.1\plexus-io-3.0.1.jar
MD5: 724b4546dd6b42fd4a0aa669cb3b2580
SHA1: f80682b2005e1274b5f50704ccb34bcf144fbda2
SHA256:3806c1798f494eeb8081d952746a99f4bffc2cde08512e0e20a6ec11ce6d02e3
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.codehaus.plexus:plexus-io:3.0.1  Confidence:Highest

snappy-0.4.jar

Description:

 Port of Snappy to Java

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: C:\Users\Queue\.m2\repository\org\iq80\snappy\snappy\0.4\snappy-0.4.jar
MD5: f0792d1dbe7f90d8b34c7c19961e0073
SHA1: a42b2d92a89efd35bb14738000dabcac6bd07a8d
SHA256:46a0c87d504ce9d6063e1ff6e4d20738feb49d8abf85b5071a7d18df4f11bac9
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.iq80.snappy:snappy:0.4  Confidence:Highest

xz-1.8.jar

Description:

 XZ data compression

License:

Public Domain
File Path: C:\Users\Queue\.m2\repository\org\tukaani\xz\1.8\xz-1.8.jar
MD5: 5f982127e0de85b785c4b2abad21aa2e
SHA1: c4f7d054303948eb6a4066194253886c8af07128
SHA256:8c7964b36fe3f0cbe644b04fcbff84e491ce81917db2f5bfa0cba8e9548aff5d
Referenced In Project/Scope:DependencyCheck:runtime

Identifiers

  • cpe: cpe:/a:tukaani:xz:1.8  Confidence:Low  
  • maven: org.tukaani:xz:1.8  Confidence:Highest

CVE-2015-4035  

Severity:Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.

Vulnerable Software & Versions:

artemis-cli-1.4.0.jar: artemis-service.exe

File Path: C:\Users\Queue\.m2\repository\org\apache\activemq\artemis-cli\1.4.0\artemis-cli-1.4.0.jar\org\apache\activemq\artemis\cli\commands\bin\artemis-service.exe
MD5: f2e0f25d2c5cb9c1db26313ec55e4e7b
SHA1: 25167ad668140a05a651cd06ad1d50203bc020f7
SHA256:73d9e44d61e9b52fb22b684bc621d9bc247473b7625e3f2fc8a2d16cc0443d18
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • None

jolokia-war-1.3.3.war: jolokia-core-1.3.3.jar

Description:

 jar file containing servlet and helper classes

File Path: C:\Users\Queue\.m2\repository\org\jolokia\jolokia-war\1.3.3\jolokia-war-1.3.3.war\WEB-INF\lib\jolokia-core-1.3.3.jar
MD5: a74e178b7b8b111e804b4723ca7e4ee8
SHA1: 1259e53aab223899db38cda8d14cd8f337f6e945
SHA256:f52a8e36b35e70f0f55455157e1158790affb59e0858a73f908461607df3f5c5
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.jolokia:jolokia-core:1.3.3  Confidence:High
  • cpe: cpe:/a:jolokia:jolokia:1.3.3  Confidence:Low  

jolokia-war-1.3.3.war: json-simple-1.1.1.jar

Description:

 A simple Java toolkit for JSON

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\jolokia\jolokia-war\1.3.3\jolokia-war-1.3.3.war\WEB-INF\lib\json-simple-1.1.1.jar
MD5: 5cc2c478d73e8454b4c369cee66c5bc7
SHA1: c9ad4a0850ab676c5c64461a05ca524cdfff59f1
SHA256:4e69696892b88b41c55d49ab2fdcc21eead92bf54acc588c0050596c3b75199c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.googlecode.json-simple:json-simple:1.1.1  Confidence:High

ehcache-core-2.6.11.jar: sizeof-agent.jar

File Path: C:\Users\Queue\.m2\repository\net\sf\ehcache\ehcache-core\2.6.11\ehcache-core-2.6.11.jar\net\sf\ehcache\pool\sizeof\sizeof-agent.jar
MD5: 5ad919b3ac0516897bdca079c9a222a8
SHA1: e86399a80ae6a6c7a563717eaa0ce9ba4708571c
SHA256:3bcd560ca5f05248db9b689244b043e9c7549e3791281631a64e5dfff15870d2
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: net.sf.ehcache:sizeof-agent:1.0.1  Confidence:High

jansi-1.16.jar: jansi.dll

File Path: C:\Users\Queue\.m2\repository\org\fusesource\jansi\jansi\1.16\jansi-1.16.jar\META-INF\native\windows32\jansi.dll
MD5: 11656f6f0800535dc79259a4299f9b36
SHA1: 53877c745604e1489fbd7671646f3b1d4e7e2316
SHA256:57e149395d70908f47206be96e03414631ab0036b8f1edb2ec29510e54512157
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jansi-1.16.jar: jansi.dll

File Path: C:\Users\Queue\.m2\repository\org\fusesource\jansi\jansi\1.16\jansi-1.16.jar\META-INF\native\windows64\jansi.dll
MD5: d5beb4ff523696be6d23c34a0a78fbe6
SHA1: 558aea23a4ea0f6e6824b8cd4d2b0ecb9a154f37
SHA256:3d74c12f1984b220e46456398a3890750e6aa1cc2b4102f9f8a0c0c21338d72c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

wildfly-openssl-windows-x86_64-1.0.6.Final.jar: wfssl.dll

File Path: C:\Users\Queue\.m2\repository\org\wildfly\openssl\wildfly-openssl-windows-x86_64\1.0.6.Final\wildfly-openssl-windows-x86_64-1.0.6.Final.jar\win-x86_64\wfssl.dll
MD5: f377287aaa2f050a253fda8ec1b3e8f0
SHA1: a41632556a50eff01387754edffcb1c017c19981
SHA256:472573400a788eb04afcf7b00f6145885c8a8072a1895d64eb457f49ede10247
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

wildfly-openssl-windows-i386-1.0.6.Final.jar: wfssl.dll

File Path: C:\Users\Queue\.m2\repository\org\wildfly\openssl\wildfly-openssl-windows-i386\1.0.6.Final\wildfly-openssl-windows-i386-1.0.6.Final.jar\win-i686\wfssl.dll
MD5: f7f59b2ddc6205c9615f35355e9755b5
SHA1: a46016159ff790cfd3d0e45146061dc27eefb492
SHA256:52785b883beed5b0c0cd4f07f682f3c6daeb7002dd842d627c05d3175a3b692d
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

snappy-java-1.1.7.1.jar: snappyjava.dll

File Path: C:\Users\Queue\.m2\repository\org\xerial\snappy\snappy-java\1.1.7.1\snappy-java-1.1.7.1.jar\org\xerial\snappy\native\Windows\x86\snappyjava.dll
MD5: 3311b452e8619f09b279575c5ebac4c7
SHA1: b2ab0f778657b4ff3521d7c93e3e5b3b31b96ff9
SHA256:0be631df962e3dc0c5086869e77d00dde089dbde44ebb7a3e7a75b9f61fa2931
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • None

snappy-java-1.1.7.1.jar: snappyjava.dll

File Path: C:\Users\Queue\.m2\repository\org\xerial\snappy\snappy-java\1.1.7.1\snappy-java-1.1.7.1.jar\org\xerial\snappy\native\Windows\x86_64\snappyjava.dll
MD5: 82578a05ced2f0dc97c2e6b7d350e4c4
SHA1: 79d91441d17e3c81a8bf107ebc9843c642d9e278
SHA256:cfc8d0ea172f838b3a7502e378baed72a3ac45020fb9772667e5dffee46d588b
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • None

jffi-1.2.15-native.jar: jffi-1.2.dll

File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jffi\1.2.15\jffi-1.2.15-native.jar\jni\i386-Windows\jffi-1.2.dll
MD5: 841e60814ed6b2971a47b267aef1c58a
SHA1: 07d30c6407fefad8df4b6afc4d85f83e547975ca
SHA256:d63b0ec9a7cc75c26fa951928bf550c0e9a5e6c195a3de94a9c24995206bbfd2
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jffi-1.2.15-native.jar: jffi-1.2.dll

File Path: C:\Users\Queue\.m2\repository\com\github\jnr\jffi\1.2.15\jffi-1.2.15-native.jar\jni\x86_64-Windows\jffi-1.2.dll
MD5: 5d80b61c1f9e31860c17b3a410948e7e
SHA1: 5ca292116336ee4ceed00d10e756afea580e62cf
SHA256:58398ba5cda1b7cb89ad4e03dd4a658006956f81acfef4efb4e7dd934e2733ef
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jline-2.12.jar: jansi.dll

File Path: C:\Users\Queue\.m2\repository\jline\jline\2.12\jline-2.12.jar\META-INF\native\windows32\jansi.dll
MD5: 1e56641bb68937f8e2020cbff5d04a08
SHA1: 97f6e12599bb5848867b9762184d055ed918ab2a
SHA256:0f59ff32a7c70e00a580d893de42ffaf48d0242b4d6251792666919b10ac3cd4
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jline-2.12.jar: jansi.dll

File Path: C:\Users\Queue\.m2\repository\jline\jline\2.12\jline-2.12.jar\META-INF\native\windows64\jansi.dll
MD5: fd3a20891286c958103f3ea07174cd3c
SHA1: 829195c9e338d5725cf304ae33fc209db53884eb
SHA256:c33505a7c1fb847c03329a4f0e4b3c5cebac3a3604133d797d09172de25e3978
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

winp-1.25.jar: winp.dll

File Path: C:\Users\Queue\.m2\repository\org\jvnet\winp\winp\1.25\winp-1.25.jar\winp.dll
MD5: 5f541d241085b4a0b7522355d7bbea11
SHA1: 2e9dc595297ef85a92b80f1352b16fc0f7badf66
SHA256:decfbc7fbbb6054c1b67db5cd78c07bad17bb4ebf9ffc4677ecbc37481126c62
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

winp-1.25.jar: winp.x64.dll

File Path: C:\Users\Queue\.m2\repository\org\jvnet\winp\winp\1.25\winp-1.25.jar\winp.x64.dll
MD5: 59ddba6e777434d039ae09539e6ae899
SHA1: 069e1429aad45cc6414c2800a24a2c906349202b
SHA256:434a0bdbddecf32da0eb451a3b22b443f1332f29f41a74d746f1385a78fca266
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jna-4.2.1.jar: jnidispatch.dll

File Path: C:\Users\Queue\.m2\repository\net\java\dev\jna\jna\4.2.1\jna-4.2.1.jar\com\sun\jna\w32ce-arm\jnidispatch.dll
MD5: 57697cbdd321ae7d06f5da04e821f908
SHA1: 67167f2b2fce8db5f9f64a372b0da54730d3ee51
SHA256:361e173e6e50cb1bf8b7fab38c1ff99686ea819e58ee30348e7756cb0418a9f6
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jna-4.2.1.jar: jnidispatch.dll

File Path: C:\Users\Queue\.m2\repository\net\java\dev\jna\jna\4.2.1\jna-4.2.1.jar\com\sun\jna\win32-x86\jnidispatch.dll
MD5: d2f0da769204b8c45c207d8f3d8fc37e
SHA1: c6870c1b8be2dbf1d737c918963d2f183aa778e1
SHA256:064c34c9f92f6aca636b5b53006b539853268570f048f33155c6a6635d6c0e7b
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jna-4.2.1.jar: jnidispatch.dll

File Path: C:\Users\Queue\.m2\repository\net\java\dev\jna\jna\4.2.1\jna-4.2.1.jar\com\sun\jna\win32-x86-64\jnidispatch.dll
MD5: b04c620540a971e93390ba9ec7cc8641
SHA1: cb612a48eff7c60c40a6bb64b78fb47d5709f5e7
SHA256:1b2af8b31416f68051db213bcdcf82775e29191b6d069c327988e02e654030ad
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • None

jetty-all-9.3.10.v20160621-uber.jar (shaded: org.eclipse.jetty:jetty-io:9.3.10.v20160621)

File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\aggregate\jetty-all\9.3.10.v20160621\jetty-all-9.3.10.v20160621-uber.jar\META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml
MD5: 12d90a6b5952eab8f7cc3d6564380832
SHA1: a81b37ec7f463df36ee753960d5d576a5e03f6ff
SHA256:e5d5d7a50bc6b13e10c5d318011ef1360791cbb9ae812c536ebbbebe497de383
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.eclipse.jetty:jetty-io:9.3.10.v20160621  Confidence:High

jetty-all-9.3.10.v20160621-uber.jar (shaded: org.eclipse.jetty:jetty-util:9.3.10.v20160621)

Description:

 Utility classes for Jetty

File Path: C:\Users\Queue\.m2\repository\org\eclipse\jetty\aggregate\jetty-all\9.3.10.v20160621\jetty-all-9.3.10.v20160621-uber.jar\META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
MD5: c063ce7493ecac96f1b44d8ddecf21e8
SHA1: efd7876f5d2b42e7aced653a84b36aac84ea652a
SHA256:cb156a099d1ee85a01d3f0da4b2b0a8cb88eb3e0df62c07fcaae20f7ee91ab9f
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.eclipse.jetty:jetty-util:9.3.10.v20160621  Confidence:High
  • cpe: cpe:/a:eclipse:jetty:9.3.10  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:9.3.10.v20160621  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

CVE-2018-12536  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerable Software & Versions: (show all)

aesh-readline-1.10.jar (shaded: org.aesh:aesh-terminal-api:1.10)

Description:

 Æsh (Another Extendable SHell) Terminal API

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: C:\Users\Queue\.m2\repository\org\aesh\aesh-readline\1.10\aesh-readline-1.10.jar\META-INF/maven/org.aesh/aesh-terminal-api/pom.xml
MD5: 6a338e81771c79a7669d356144cfc4da
SHA1: 32c20af4868b5057e353ce255ad59030ab60eacc
SHA256:d4b97b3468ea5be9efb6c8582fa5a5165d67f9a16fd636a7fdff7a0f8e84a1e7
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.aesh:aesh-terminal-api:1.10  Confidence:High

jansi-1.16.jar (shaded: org.fusesource.hawtjni:hawtjni-runtime:1.15)

Description:

 The API that projects using HawtJNI should build against.

File Path: C:\Users\Queue\.m2\repository\org\fusesource\jansi\jansi\1.16\jansi-1.16.jar\META-INF/maven/org.fusesource.hawtjni/hawtjni-runtime/pom.xml
MD5: 647b1d17fea9ada902c6957c217fb028
SHA1: bdc2747022fe40d618c15d2cd8e54b216bd816a2
SHA256:d296eb284ed73aa8c8ad1deb09ada9961095a54e561fa0ae9b924baea6f81165
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.fusesource.hawtjni:hawtjni-runtime:1.15  Confidence:High

jansi-1.16.jar (shaded: org.fusesource.jansi:jansi-${platform}:1.7)

Description:

 Jansi is a java library for generating and interpreting ANSI escape sequences.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\fusesource\jansi\jansi\1.16\jansi-1.16.jar\META-INF/maven/org.fusesource.jansi/jansi-freebsd32/pom.xml
MD5: 313016fe540f2f7c61d5a12aec5d8f6e
SHA1: b5b391dae1f179a9c5fe0ee9f0fb8274d1c9f6f7
SHA256:2c7590e205ef70284e27e07771d6dc496a6755413b960b66a4b6f9800cd33e97
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.fusesource.jansi:jansi-${platform}:1.7  Confidence:High
  • cpe: cpe:/a:id:id-software:1.7  Confidence:Low  

wildfly-galleon-plugins-2.0.0.Final.jar (shaded: org.wildfly.galleon-plugins:wildfly-galleon-plugins:2.0.0.Final)

File Path: C:\Users\Queue\.m2\repository\org\wildfly\galleon-plugins\wildfly-galleon-plugins\2.0.0.Final\wildfly-galleon-plugins-2.0.0.Final.jar\META-INF/maven/org.wildfly.galleon-plugins/wildfly-galleon-plugins/pom.xml
MD5: 81234a6b2b27d88ec08fddd24a7929f2
SHA1: 8bbe50a111052a3243486847742fc22bc09a4e26
SHA256:f1b45fc2ad86bd2d7855f3396d921fa004a0b08f30cc2278dc520987d818c837
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.wildfly.galleon-plugins:wildfly-galleon-plugins:2.0.0.Final  Confidence:High
  • cpe: cpe:/a:wildfly:wildfly:2.0.0  Confidence:Low  

wildfly-galleon-plugins-2.0.0.Final.jar (shaded: org.jboss:jandex:2.0.3.Final)

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\wildfly\galleon-plugins\wildfly-galleon-plugins\2.0.0.Final\wildfly-galleon-plugins-2.0.0.Final.jar\META-INF/maven/org.jboss/jandex/pom.xml
MD5: af8f6464bee96e4a83250aa00b594237
SHA1: b6a40c82d3ef28fc1781449f3ec3092f53453904
SHA256:1b75470b73dcc11df67dcc6c54e92084b13f2b05ffc3d0293e6b11a2e7527bb1
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: org.jboss:jandex:2.0.3.Final  Confidence:High

wildfly-galleon-plugins-2.0.0.Final.jar (shaded: org.jboss:staxmapper:1.1.0.Final)

File Path: C:\Users\Queue\.m2\repository\org\wildfly\galleon-plugins\wildfly-galleon-plugins\2.0.0.Final\wildfly-galleon-plugins-2.0.0.Final.jar\META-INF/maven/org.jboss/staxmapper/pom.xml
MD5: 6bc4a939e9bcea8610996c003668c248
SHA1: 5b569caf7031b951ff25edb80184161d2ba3c442
SHA256:21873640c046de489a0fbc1587fcd466820fd28d59d3e9aed67a1cd0355ba2bd
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:st_project:st:1.1.0  Confidence:Low  
  • maven: org.jboss:staxmapper:1.1.0.Final  Confidence:High

CVE-2017-16224  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used. Mitigating factor: In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e").

Vulnerable Software & Versions:

wildfly-galleon-plugins-2.0.0.Final.jar (shaded: com.googlecode.java-diff-utils:diffutils:1.3.0)

Description:

 The DiffUtils library for computing diffs, applying patches, generationg side-by-side view in Java.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Queue\.m2\repository\org\wildfly\galleon-plugins\wildfly-galleon-plugins\2.0.0.Final\wildfly-galleon-plugins-2.0.0.Final.jar\META-INF/maven/com.googlecode.java-diff-utils/diffutils/pom.xml
MD5: 7840396763fafd8850bd483e096af3c7
SHA1: 7d5e372ff32c90095800f96d8308c41af0285a41
SHA256:2fe31dd6309b0f5f195bbdc4749cfc0af065d61f06cfe183dfd2f2092ab847b6
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: com.googlecode.java-diff-utils:diffutils:1.3.0  Confidence:High

jansi-1.16.jar (shaded: org.fusesource.jansi:jansi:1.16)

Description:

 Jansi is a java library for generating and interpreting ANSI escape sequences.

File Path: C:\Users\Queue\.m2\repository\org\fusesource\jansi\jansi\1.16\jansi-1.16.jar\META-INF/maven/org.fusesource.jansi/jansi/pom.xml
MD5: 22e8c23b0f2222d48e258bfbebeeee46
SHA1: ea66f725a6ee07c48cb093b00e842c3eefac48f6
SHA256:709d5dcc080e5e3788ff1b209bd97d9c4a6f0b80418e3d3b724f3e7e2449620c
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • cpe: cpe:/a:id:id-software:1.16  Confidence:Low  
  • maven: org.fusesource.jansi:jansi:1.16  Confidence:High

wildfly-elytron-tool-1.4.0.Final.jar (shaded: commons-cli:commons-cli:1.3.1)

Description:

 
    Apache Commons CLI provides a simple API for presenting, processing and validating a command line interface.
  

File Path: C:\Users\Queue\.m2\repository\org\wildfly\security\wildfly-elytron-tool\1.4.0.Final\wildfly-elytron-tool-1.4.0.Final.jar\META-INF/maven/commons-cli/commons-cli/pom.xml
MD5: 16849669639d4745fe0890e15856c996
SHA1: 7cfa08c046e048faf18b68b26742d3185d49fa94
SHA256:6672fad281b89974560a13e63b01a067418e7b72b2345579d6134ca0e1a3b032
Referenced In Project/Scope:DependencyCheck:provided

Identifiers

  • maven: commons-cli:commons-cli:1.3.1  Confidence:High

jaxb-core-2.3.0.1.jar (shaded: org.glassfish.jaxb:txw2:2.3.0.1)

Description:

 
        TXW is a library that allows you to write XML documents.
    

File Path: C:\Users\Queue\.m2\repository\com\sun\xml\bind\jaxb-core\2.3.0.1\jaxb-core-2.3.0.1.jar\META-INF/maven/org.glassfish.jaxb/txw2/pom.xml
MD5: 05fabdd139d5209694d934d1fa62f245
SHA1: cb8726ed28d9e2a999d2771c6c2b272a2cf1d434
SHA256:38b91b6e93dbe1b4b73464a563545bb6213cc09947fa43bffaafb397379ccbe1
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.glassfish.jaxb:txw2:2.3.0.1  Confidence:High

jaxb-core-2.3.0.1.jar (shaded: org.glassfish.jaxb:jaxb-core:2.3.0.1)

Description:

 JAXB Core module. Contains sources required by XJC, JXC and Runtime modules.

File Path: C:\Users\Queue\.m2\repository\com\sun\xml\bind\jaxb-core\2.3.0.1\jaxb-core-2.3.0.1.jar\META-INF/maven/org.glassfish.jaxb/jaxb-core/pom.xml
MD5: a8bbe13aec77cc49e66d0b5c2c141c81
SHA1: ed4111be93ec96ff6064e1953f3509aa9c51acd0
SHA256:c1a3d3fda56df5fabe6fbf9eb39b2a8ce7b53c04801498601e9e4df6d6d85166
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.glassfish.jaxb:jaxb-core:2.3.0.1  Confidence:High

jaxb-core-2.3.0.1.jar (shaded: com.sun.istack:istack-commons-runtime:3.0.5)

File Path: C:\Users\Queue\.m2\repository\com\sun\xml\bind\jaxb-core\2.3.0.1\jaxb-core-2.3.0.1.jar\META-INF/maven/com.sun.istack/istack-commons-runtime/pom.xml
MD5: 5cd5eb6603c2a85e6fa5395bb7dfb6cd
SHA1: 42f3cf2e2a9547f73f08a3d551064211888cc37c
SHA256:fb892aff4c68f0efc4756c97112e044cdd44e73276d3641f9cc1d6ba3c1366e6
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: com.sun.istack:istack-commons-runtime:3.0.5  Confidence:High

jaxb-impl-2.3.0.1.jar (shaded: org.glassfish.jaxb:jaxb-runtime:2.3.0.1)

Description:

 JAXB (JSR 222) Reference Implementation

File Path: C:\Users\Queue\.m2\repository\com\sun\xml\bind\jaxb-impl\2.3.0.1\jaxb-impl-2.3.0.1.jar\META-INF/maven/org.glassfish.jaxb/jaxb-runtime/pom.xml
MD5: 42e0202fac30b06ff774cadf661aa567
SHA1: b6f003c9aba6455396d827022e5f1373fec3215d
SHA256:e8a8a903d99ec4fd866ebbf36b7c0e310101ca60820eb36e0f58184518ed8428
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: org.glassfish.jaxb:jaxb-runtime:2.3.0.1  Confidence:High

htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-core:2.4.0)

Description:

 Core Jackson abstractions, basic JSON streaming API implementation
  

File Path: C:\Users\Queue\.m2\repository\org\apache\htrace\htrace-core4\4.1.0-incubating\htrace-core4-4.1.0-incubating.jar\META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml
MD5: b5ed6cb7f987a4da86141638b1538d81
SHA1: ed8235ea6d84480833675e709b415bde24ce25f7
SHA256:8310978da8c7013ecaaba13c9b41b75ab3a09797ae4b946ae5e1614088f995d7
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:fasterxml:jackson:2.4.0  Confidence:Low  
  • maven: com.fasterxml.jackson.core:jackson-core:2.4.0  Confidence:High

htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0)

Description:

 General data-binding functionality for Jackson: works on core streaming API

File Path: C:\Users\Queue\.m2\repository\org\apache\htrace\htrace-core4\4.1.0-incubating\htrace-core4-4.1.0-incubating.jar\META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
MD5: d3f7afe903419aa0c03f9cf8682e1a69
SHA1: 3c0d06b6c0a9f4135fcf5c5557c751c0cd066c0c
SHA256:083be927bdddaf1e992d0e9f0fff509b60f35deea307216d8ba773f065a6f30c
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • cpe: cpe:/a:fasterxml:jackson:2.4.0  Confidence:Low  
  • cpe: cpe:/a:fasterxml:jackson-databind:2.4.0  Confidence:Highest  
  • maven: com.fasterxml.jackson.core:jackson-databind:2.4.0  Confidence:High

CVE-2017-15095  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Vulnerable Software & Versions: (show all)

CVE-2017-17485  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Vulnerable Software & Versions: (show all)

CVE-2017-7525  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Vulnerable Software & Versions: (show all)

CVE-2018-5968  

Severity:Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Vulnerable Software & Versions: (show all)

CVE-2018-7489  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist

FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Vulnerable Software & Versions: (show all)

htrace-core4-4.1.0-incubating.jar (shaded: commons-logging:commons-logging:1.1.1)

Description:

 Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

File Path: C:\Users\Queue\.m2\repository\org\apache\htrace\htrace-core4\4.1.0-incubating\htrace-core4-4.1.0-incubating.jar\META-INF/maven/commons-logging/commons-logging/pom.xml
MD5: 976d812430b8246deeaf2ea54610f263
SHA1: 76672afb562b9e903674ad3a544cdf2092f1faa3
SHA256:d0f2e16d054e8bb97add9ca26525eb2346f692809fcd2a28787da8ceb3c35ee8
Referenced In Project/Scope:DependencyCheck:compile

Identifiers

  • maven: commons-logging:commons-logging:1.1.1  Confidence:High


This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the NPM Public Advisories.